From 34f5f61a10840617b97d6d4587f62b16fa8d69f0 Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Mon, 27 Jan 2025 18:15:12 +0100 Subject: [PATCH 1/9] all: use my script to delete outdated deprecations --- .../lib/semmle/code/cpp/dataflow/DataFlow.qll | 13 - .../code/cpp/dataflow/TaintTracking.qll | 14 - cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll | 5 - csharp/ql/lib/semmle/code/csharp/Generics.qll | 28 - .../csharp/controlflow/ControlFlowGraph.qll | 7 - .../IncorrectIntegerConversionLib.qll | 14 - java/ql/lib/semmle/code/java/Expr.qll | 33 - java/ql/lib/semmle/code/java/JDK.qll | 3 - java/ql/lib/semmle/code/java/Reflection.qll | 21 - .../semmle/code/java/dataflow/FlowSources.qll | 30 - .../dataflow/internal/TaintTrackingUtil.qll | 3 - .../semmle/code/java/deadcode/EntryPoints.qll | 3 - .../semmle/code/java/frameworks/Mockito.qll | 3 - .../CleartextStorageAndroidDatabaseQuery.qll | 3 - .../CleartextStorageSharedPrefsQuery.qll | 3 - .../HardcodedCredentialsComparison.qll | 3 - java/ql/lib/semmle/code/java/security/JWT.qll | 3 - .../java/security/PartialPathTraversal.qll | 3 - .../code/java/security/SensitiveActions.qll | 3 - .../code/java/security/SensitiveApi.qll | 39 - ...TempDirLocalInformationDisclosureQuery.qll | 10 - .../security/UnsafeDeserializationQuery.qll | 3 - .../semmle/code/java/security/XmlParsers.qll | 59 -- .../Likely Bugs/Resource Leaks/CloseType.qll | 3 - .../lib/semmle/javascript/ES2015Modules.qll | 27 - javascript/ql/lib/semmle/javascript/Expr.qll | 11 - .../dataflow/BrokenCryptoAlgorithmQuery.qll | 16 - .../dataflow/BuildArtifactLeakQuery.qll | 21 - .../CleartextLoggingCustomizations.qll | 21 +- .../dataflow/CleartextLoggingQuery.qll | 21 - .../dataflow/CleartextStorageQuery.qll | 13 - .../ClientSideRequestForgeryQuery.qll | 27 - .../dataflow/ClientSideUrlRedirectQuery.qll | 45 - .../security/dataflow/CodeInjectionQuery.qll | 20 - .../dataflow/CommandInjectionQuery.qll | 13 - .../dataflow/ConditionalBypassQuery.qll | 78 -- ...orsMisconfigurationForCredentialsQuery.qll | 20 - .../DeepObjectResourceExhaustionQuery.qll | 30 - .../dataflow/DomBasedXssCustomizations.qll | 7 - .../security/dataflow/DomBasedXssQuery.qll | 34 - .../security/dataflow/ExceptionXssQuery.qll | 30 - .../ExternalAPIUsedWithUntrustedDataQuery.qll | 49 - .../dataflow/FileAccessToHttpQuery.qll | 24 - .../dataflow/HardcodedCredentialsQuery.qll | 22 - .../HardcodedDataInterpretedAsCodeQuery.qll | 17 - ...tHeaderPoisoningInEmailGenerationQuery.qll | 11 - .../dataflow/HttpToFileAccessQuery.qll | 16 - .../ImproperCodeSanitizationQuery.qll | 13 - ...completeHtmlAttributeSanitizationQuery.qll | 32 - .../IndirectCommandInjectionQuery.qll | 23 - .../dataflow/InsecureDownloadQuery.qll | 20 - .../dataflow/InsecureRandomnessQuery.qll | 25 - .../dataflow/InsecureTemporaryFileQuery.qll | 16 - .../InsufficientPasswordHashQuery.qll | 16 - .../security/dataflow/LogInjectionQuery.qll | 13 - .../dataflow/LoopBoundInjectionQuery.qll | 28 - .../security/dataflow/NosqlInjectionQuery.qll | 34 - .../dataflow/PostMessageStarQuery.qll | 45 - .../PrototypePollutingAssignmentQuery.qll | 72 -- .../dataflow/PrototypePollutionQuery.qll | 40 - .../security/dataflow/ReflectedXssQuery.qll | 21 - .../dataflow/RegExpInjectionQuery.qll | 16 - .../dataflow/RemotePropertyInjectionQuery.qll | 17 - .../security/dataflow/RequestForgeryQuery.qll | 25 - .../dataflow/ResourceExhaustionQuery.qll | 25 - .../SecondOrderCommandInjectionQuery.qll | 29 - .../dataflow/ServerSideUrlRedirectQuery.qll | 29 - ...llCommandInjectionFromEnvironmentQuery.qll | 20 - .../security/dataflow/SqlInjectionQuery.qll | 20 - .../dataflow/StackTraceExposureQuery.qll | 17 - .../security/dataflow/StoredXssQuery.qll | 21 - .../dataflow/TaintedFormatStringQuery.qll | 16 - .../dataflow/TaintedPathCustomizations.qll | 2 - .../security/dataflow/TaintedPathQuery.qll | 31 - .../dataflow/TemplateObjectInjectionQuery.qll | 27 - ...onfusionThroughParameterTamperingQuery.qll | 22 - .../dataflow/UnsafeCodeConstruction.qll | 29 - .../dataflow/UnsafeDeserializationQuery.qll | 16 - .../UnsafeDynamicMethodAccessQuery.qll | 36 - .../dataflow/UnsafeHtmlConstructionQuery.qll | 3 - .../dataflow/UnsafeJQueryPluginQuery.qll | 41 - .../UnsafeShellCommandConstructionQuery.qll | 30 - ...lidatedDynamicMethodCallCustomizations.qll | 12 - .../UnvalidatedDynamicMethodCallQuery.qll | 34 - .../security/dataflow/XmlBombQuery.qll | 16 - .../security/dataflow/XpathInjectionQuery.qll | 16 - .../security/dataflow/XssThroughDomQuery.qll | 40 - .../javascript/security/dataflow/XxeQuery.qll | 16 - .../security/dataflow/ZipSlipQuery.qll | 30 - .../security/regexp/PolynomialReDoSQuery.qll | 31 - .../experimental/Security/CWE-918/SSRF.qll | 7 - .../frameworks/Templating/XssDiff.ql | 3 - .../python/dataflow/new/TypeTracker.qll | 60 -- .../dataflow/new/internal/TypeTracker.qll | 950 +----------------- .../new/internal/TypeTrackerSpecific.qll | 60 -- .../lib/semmle/python/frameworks/Stdlib.qll | 162 --- ruby/ql/lib/codeql/ruby/ApiGraphs.qll | 366 ------- .../lib/codeql/ruby/controlflow/CfgNodes.qll | 7 - .../dataflow/internal/DataFlowPrivate.qll | 3 +- .../ruby/dataflow/internal/DataFlowPublic.qll | 7 - .../codeql/ruby/frameworks/ActiveRecord.qll | 94 -- .../codeql/ruby/frameworks/ActiveResource.qll | 47 - ruby/ql/lib/codeql/ruby/frameworks/Twirp.qll | 30 - .../ruby/security/InsecureDownloadQuery.qll | 6 - .../ruby/security/LdapInjectionQuery.qll | 9 - .../codeql/ruby/security/StoredXSSQuery.qll | 9 - .../UnsafeCodeConstructionCustomizations.qll | 2 - ...ShellCommandConstructionCustomizations.qll | 2 - .../ruby/security/XpathInjectionQuery.qll | 8 - .../codeql/ruby/typetracking/TypeTracker.qll | 925 +---------------- .../ruby/typetracking/TypeTrackerSpecific.qll | 131 --- .../library-tests/frameworks/Twirp/Twirp.ql | 2 - .../frameworks/active_record/ActiveRecord.ql | 10 - .../active_resource/ActiveResource.ql | 4 - shared/dataflow/codeql/dataflow/DataFlow.qll | 10 - .../codeql/dataflow/TaintTracking.qll | 12 - .../codeql/dataflow/internal/DataFlowImpl.qll | 12 - .../codeql/typetracking/TypeTracking.qll | 2 - .../internal/TypeTrackingImpl.qll | 7 - .../dataflow/internal/DataFlowPublic.qll | 5 - swift/ql/lib/codeql/swift/regex/Regex.qll | 15 - 121 files changed, 4 insertions(+), 4910 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll index a478da5193e0..b8262141dc8b 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll @@ -18,16 +18,3 @@ */ import cpp - -/** - * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead. - * - * Provides classes for performing local (intra-procedural) and - * global (inter-procedural) data flow analyses. - */ -deprecated module DataFlow { - private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific - private import codeql.dataflow.DataFlow - import DataFlowMake - import Public -} diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll index 36af8d9660bb..238a05e55d04 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll @@ -16,17 +16,3 @@ */ import semmle.code.cpp.dataflow.DataFlow - -/** - * DEPRECATED: Use `semmle.code.cpp.dataflow.new.TaintTracking` instead. - * - * Provides classes for performing local (intra-procedural) and - * global (inter-procedural) taint-tracking analyses. - */ -deprecated module TaintTracking { - import semmle.code.cpp.dataflow.internal.TaintTrackingUtil - private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific - private import semmle.code.cpp.dataflow.internal.TaintTrackingImplSpecific - private import codeql.dataflow.TaintTracking - import TaintFlowMake -} diff --git a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll index 91b57049a54e..8ae182394186 100644 --- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll +++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll @@ -1110,11 +1110,6 @@ class DeleteOrDeleteArrayExpr extends Expr, TDeleteOrDeleteArrayExpr { expr_deallocator(underlyingElement(this), unresolveElement(result), _) } - /** - * DEPRECATED: use `getDeallocatorCall` instead. - */ - deprecated FunctionCall getAllocatorCall() { result = this.getChild(0) } - /** * Gets the call to a non-default `operator delete`/`delete[]` that deallocates storage, if any. * diff --git a/csharp/ql/lib/semmle/code/csharp/Generics.qll b/csharp/ql/lib/semmle/code/csharp/Generics.qll index 81535fc1008a..b5ef16c575e9 100644 --- a/csharp/ql/lib/semmle/code/csharp/Generics.qll +++ b/csharp/ql/lib/semmle/code/csharp/Generics.qll @@ -143,18 +143,6 @@ class UnboundGenericType extends ValueOrRefType, UnboundGeneric { result = UnboundGeneric.super.getAConstructedGeneric() } - /** - * DEPRECATED: predicate does not contain any tuples. - * - * Gets the instance type of this type. For an unbound generic type, the instance type - * is a constructed type created from the unbound type, with each of the supplied type - * arguments being the corresponding type parameter. - */ - deprecated ConstructedType getInstanceType() { - result = this.getAConstructedGeneric() and - forall(TypeParameter tp, int i | tp = this.getTypeParameter(i) | tp = result.getTypeArgument(i)) - } - override Location getALocation() { type_location(this, result) } override UnboundGenericType getUnboundDeclaration() { @@ -312,10 +300,6 @@ class TypeParameterConstraints extends Element, @type_parameter_constraints { * ``` */ class UnboundGenericStruct extends Struct, UnboundGenericType { - deprecated override ConstructedStruct getInstanceType() { - result = UnboundGenericType.super.getInstanceType() - } - override ConstructedStruct getAConstructedGeneric() { result = UnboundGenericType.super.getAConstructedGeneric() } @@ -335,10 +319,6 @@ class UnboundGenericStruct extends Struct, UnboundGenericType { * ``` */ class UnboundGenericClass extends Class, UnboundGenericType { - deprecated override ConstructedClass getInstanceType() { - result = UnboundGenericType.super.getInstanceType() - } - override ConstructedClass getAConstructedGeneric() { result = UnboundGenericType.super.getAConstructedGeneric() } @@ -358,10 +338,6 @@ class UnboundGenericClass extends Class, UnboundGenericType { * ``` */ class UnboundGenericInterface extends Interface, UnboundGenericType { - deprecated override ConstructedInterface getInstanceType() { - result = UnboundGenericType.super.getInstanceType() - } - override ConstructedInterface getAConstructedGeneric() { result = UnboundGenericType.super.getAConstructedGeneric() } @@ -382,10 +358,6 @@ class UnboundGenericInterface extends Interface, UnboundGenericType { * ``` */ class UnboundGenericDelegateType extends DelegateType, UnboundGenericType { - deprecated override ConstructedDelegateType getInstanceType() { - result = UnboundGenericType.super.getInstanceType() - } - override ConstructedDelegateType getAConstructedGeneric() { result = UnboundGenericType.super.getAConstructedGeneric() } diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll index 0489044d9228..2334d240935f 100644 --- a/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll +++ b/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll @@ -29,13 +29,6 @@ module ControlFlow { /** Gets the control flow element that this node corresponds to, if any. */ final ControlFlowElement getAstNode() { result = super.getAstNode() } - /** - * DEPRECATED: Use `getAstNode` instead. - * - * Gets the control flow element that this node corresponds to, if any. - */ - deprecated ControlFlowElement getElement() { result = this.getAstNode() } - /** Gets the basic block that this control flow node belongs to. */ BasicBlock getBasicBlock() { result.getANode() = this } diff --git a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll index 3c6cddc427f8..9125ab6e400a 100644 --- a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll +++ b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll @@ -448,20 +448,6 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf */ module Flow = DataFlow::GlobalWithState; -/** Gets a string describing the size of the integer parsed. */ -deprecated string describeBitSize(int bitSize, int intTypeBitSize) { - intTypeBitSize in [0, 32, 64] and - if bitSize != 0 - then bitSize in [8, 16, 32, 64] and result = "a " + bitSize + "-bit integer" - else - if intTypeBitSize = 0 - then result = "an integer with architecture-dependent bit size" - else - result = - "a number with architecture-dependent bit-width, which is constrained to be " + - intTypeBitSize + "-bit by build constraints," -} - /** Gets a string describing the size of the integer parsed. */ string describeBitSize2(DataFlow::Node source) { exists(int sourceBitSize, int intTypeBitSize, boolean isSigned, string signedString | diff --git a/java/ql/lib/semmle/code/java/Expr.qll b/java/ql/lib/semmle/code/java/Expr.qll index 24e5a6e24d8b..cb02791e96cc 100644 --- a/java/ql/lib/semmle/code/java/Expr.qll +++ b/java/ql/lib/semmle/code/java/Expr.qll @@ -1924,9 +1924,6 @@ class VarAccess extends Expr, @varaccess { exists(UnaryAssignExpr e | e.getExpr() = this) } - /** DEPRECATED: Alias for `isVarWrite`. */ - deprecated predicate isLValue() { this.isVarWrite() } - /** * Holds if this variable access is a read access. * @@ -1936,9 +1933,6 @@ class VarAccess extends Expr, @varaccess { */ predicate isVarRead() { not exists(AssignExpr a | a.getDest() = this) } - /** DEPRECATED: Alias for `isVarRead`. */ - deprecated predicate isRValue() { this.isVarRead() } - /** Gets a printable representation of this expression. */ override string toString() { exists(Expr q | q = this.getQualifier() | @@ -2002,14 +1996,8 @@ class VarWrite extends VarAccess { * are source expressions of the assignment. */ Expr getASource() { exists(Assignment e | e.getDest() = this and e.getSource() = result) } - - /** DEPRECATED: (Inaccurately-named) alias for `getASource` */ - deprecated Expr getRhs() { result = this.getASource() } } -/** DEPRECATED: Alias for `VarWrite`. */ -deprecated class LValue = VarWrite; - /** * A read access to a variable. * @@ -2021,9 +2009,6 @@ class VarRead extends VarAccess { VarRead() { this.isVarRead() } } -/** DEPRECATED: Alias for `VarRead`. */ -deprecated class RValue = VarRead; - /** A method call is an invocation of a method with a list of arguments. */ class MethodCall extends Expr, Call, @methodaccess { /** Gets the qualifying expression of this method access, if any. */ @@ -2082,9 +2067,6 @@ class MethodCall extends Expr, Call, @methodaccess { */ predicate isOwnMethodCall() { Qualifier::ownMemberAccess(this) } - /** DEPRECATED: Alias for `isOwnMethodCall`. */ - deprecated predicate isOwnMethodAccess() { this.isOwnMethodCall() } - /** * Holds if this is a method call to an instance method of the enclosing * class `t`. That is, the qualifier is either an explicit or implicit @@ -2092,15 +2074,9 @@ class MethodCall extends Expr, Call, @methodaccess { */ predicate isEnclosingMethodCall(RefType t) { Qualifier::enclosingMemberAccess(this, t) } - /** DEPRECATED: Alias for `isEnclosingMethodCall`. */ - deprecated predicate isEnclosingMethodAccess(RefType t) { this.isEnclosingMethodCall(t) } - override string getAPrimaryQlClass() { result = "MethodCall" } } -/** DEPRECATED: Alias for `MethodCall`. */ -deprecated class MethodAccess = MethodCall; - /** A type access is a (possibly qualified) reference to a type. */ class TypeAccess extends Expr, Annotatable, @typeaccess { /** Gets the qualifier of this type access, if any. */ @@ -2275,25 +2251,16 @@ class VirtualMethodCall extends MethodCall { } } -/** DEPRECATED: Alias for `VirtualMethodCall`. */ -deprecated class VirtualMethodAccess = VirtualMethodCall; - /** A static method call. */ class StaticMethodCall extends MethodCall { StaticMethodCall() { this.getMethod().isStatic() } } -/** DEPRECATED: Alias for `StaticMethodCall`. */ -deprecated class StaticMethodAccess = StaticMethodCall; - /** A call to a method in the superclass. */ class SuperMethodCall extends MethodCall { SuperMethodCall() { this.getQualifier() instanceof SuperAccess } } -/** DEPRECATED: Alias for `SuperMethodCall`. */ -deprecated class SuperMethodAccess = SuperMethodCall; - /** * A constructor call, which occurs either as a constructor invocation inside a * constructor, or as part of a class instance expression. diff --git a/java/ql/lib/semmle/code/java/JDK.qll b/java/ql/lib/semmle/code/java/JDK.qll index ee86cf0a1913..e1fbf9317465 100644 --- a/java/ql/lib/semmle/code/java/JDK.qll +++ b/java/ql/lib/semmle/code/java/JDK.qll @@ -250,9 +250,6 @@ class MethodCallSystemGetProperty extends MethodCall { } } -/** DEPRECATED: Alias for `MethodCallSystemGetProperty`. */ -deprecated class MethodAccessSystemGetProperty = MethodCallSystemGetProperty; - /** * Any method named `exit` on class `java.lang.Runtime` or `java.lang.System`. */ diff --git a/java/ql/lib/semmle/code/java/Reflection.qll b/java/ql/lib/semmle/code/java/Reflection.qll index d6449dca2230..da287387e173 100644 --- a/java/ql/lib/semmle/code/java/Reflection.qll +++ b/java/ql/lib/semmle/code/java/Reflection.qll @@ -83,9 +83,6 @@ class ReflectiveClassIdentifierMethodCall extends ReflectiveClassIdentifier, Met } } -/** DEPRECATED: Alias for `ReflectiveClassIdentifierMethodCall`. */ -deprecated class ReflectiveClassIdentifierMethodAccess = ReflectiveClassIdentifierMethodCall; - /** * Gets a `ReflectiveClassIdentifier` that we believe may represent the value of `expr`. */ @@ -320,9 +317,6 @@ class ClassMethodCall extends MethodCall { } } -/** DEPRECATED: Alias for `ClassMethodCall`. */ -deprecated class ClassMethodAccess = ClassMethodCall; - /** * A call to `Class.getConstructors(..)` or `Class.getDeclaredConstructors(..)`. */ @@ -333,9 +327,6 @@ class ReflectiveGetConstructorsCall extends ClassMethodCall { } } -/** DEPRECATED: Alias for `ReflectiveGetConstructorsCall`. */ -deprecated class ReflectiveConstructorsAccess = ReflectiveGetConstructorsCall; - /** * A call to `Class.getMethods(..)` or `Class.getDeclaredMethods(..)`. */ @@ -346,9 +337,6 @@ class ReflectiveGetMethodsCall extends ClassMethodCall { } } -/** DEPRECATED: Alias for `ReflectiveGetMethodsCall`. */ -deprecated class ReflectiveMethodsAccess = ReflectiveGetMethodsCall; - /** * A call to `Class.getMethod(..)` or `Class.getDeclaredMethod(..)`. */ @@ -378,9 +366,6 @@ class ReflectiveGetMethodCall extends ClassMethodCall { } } -/** DEPRECATED: Alias for `ReflectiveGetMethodCall`. */ -deprecated class ReflectiveMethodAccess = ReflectiveGetMethodCall; - /** * A call to `Class.getAnnotation(..)`. */ @@ -395,9 +380,6 @@ class ReflectiveGetAnnotationCall extends ClassMethodCall { } } -/** DEPRECATED: Alias for `ReflectiveGetAnnotationCall`. */ -deprecated class ReflectiveAnnotationAccess = ReflectiveGetAnnotationCall; - /** * A call to `Class.getField(..)` that accesses a field. */ @@ -423,6 +405,3 @@ class ReflectiveGetFieldCall extends ClassMethodCall { result.hasName(this.getArgument(0).(StringLiteral).getValue()) } } - -/** DEPRECATED: Alias for `ReflectiveGetFieldCall`. */ -deprecated class ReflectiveFieldAccess = ReflectiveGetFieldCall; diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll index 77af39967c69..f63eae183c49 100644 --- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll +++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll @@ -200,25 +200,6 @@ abstract class LocalUserInput extends UserInput { override string getThreatModel() { result = "local" } } -/** - * DEPRECATED: Use the threat models feature. - * That is, use `ActiveThreatModelSource` as the class of nodes for sources - * and set up the threat model configuration to filter source nodes. - * Alternatively, use `getThreatModel` to filter nodes to create the - * class of nodes you need. - * - * A node with input from the local environment, such as files, standard in, - * environment variables, and main method parameters. - */ -deprecated class EnvInput extends DataFlow::Node { - EnvInput() { - this instanceof EnvironmentInput or - this instanceof CliInput or - this instanceof FileInput or - this instanceof StdinInput - } -} - /** * A node with input from the local environment, such as * environment variables. @@ -271,17 +252,6 @@ private class FileInput extends LocalUserInput { override string getThreatModel() { result = "file" } } -/** - * DEPRECATED: Use the threat models feature. - * That is, use `ActiveThreatModelSource` as the class of nodes for sources - * and set up the threat model configuration to filter source nodes. - * Alternatively, use `getThreatModel` to filter nodes to create the - * class of nodes you need. - * - * A node with input from a database. - */ -deprecated class DatabaseInput = DbInput; - /** * A node with input from a database. */ diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 1c7db851a2cc..d4890b96f8e8 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -484,9 +484,6 @@ class ObjectOutputStreamVar extends LocalVariableDecl { result.getQualifier() = this.getAnAccess() and result.getMethod().hasName("writeObject") } - - /** DEPRECATED: Alias for `getAWriteObjectMethodCall`. */ - deprecated MethodCall getAWriteObjectMethodAccess() { result = this.getAWriteObjectMethodCall() } } /** Flow through string formatting. */ diff --git a/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll b/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll index d3fb138bef23..bca78aeae05c 100644 --- a/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll +++ b/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll @@ -168,9 +168,6 @@ class ReflectiveGetMethodCallEntryPoint extends EntryPoint, ReflectiveGetMethodC } } -/** DEPRECATED: Alias for `ReflectiveGetMethodCallEntryPoint`. */ -deprecated class ReflectiveMethodAccessEntryPoint = ReflectiveGetMethodCallEntryPoint; - /** * Classes that are entry points recognised by annotations. */ diff --git a/java/ql/lib/semmle/code/java/frameworks/Mockito.qll b/java/ql/lib/semmle/code/java/frameworks/Mockito.qll index 38af7eb8575f..0f5971a68ace 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Mockito.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Mockito.qll @@ -25,9 +25,6 @@ class MockitoVerifiedMethodCall extends MethodCall { } } -/** DEPRECATED: Alias for `MockitoVerifiedMethodCall`. */ -deprecated class MockitoVerifiedMethodAccess = MockitoVerifiedMethodCall; - /** * A type that can be mocked by Mockito. */ diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll index 5ee9248d9eb5..f40dc5d97dea 100644 --- a/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll @@ -45,9 +45,6 @@ class LocalDatabaseOpenMethodCall extends Storable, Call { } } -/** DEPRECATED: Alias for `LocalDatabaseOpenMethodCall`. */ -deprecated class LocalDatabaseOpenMethodAccess = LocalDatabaseOpenMethodCall; - /** A method that is both a database input and a database store. */ private class LocalDatabaseInputStoreMethod extends Method { LocalDatabaseInputStoreMethod() { diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll index f72d40106e35..7300ce1447da 100644 --- a/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll @@ -45,9 +45,6 @@ class SharedPreferencesEditorMethodCall extends Storable, MethodCall { } } -/** DEPRECATED: Alias for `SharedPreferencesEditorMethodCall`. */ -deprecated class SharedPreferencesEditorMethodAccess = SharedPreferencesEditorMethodCall; - /** * Holds if `input` is the second argument of a setter method * called on `editor`, which is an instance of `SharedPreferences$Editor`. diff --git a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsComparison.qll b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsComparison.qll index f76385ecb68a..d15d9d05d301 100644 --- a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsComparison.qll +++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsComparison.qll @@ -12,9 +12,6 @@ class EqualsCall extends MethodCall { EqualsCall() { this.getMethod() instanceof EqualsMethod } } -/** DEPRECATED: Alias for `EqualsCall`. */ -deprecated class EqualsAccess = EqualsCall; - /** * Holds if `sink` compares password `p` against a hardcoded expression `source`. */ diff --git a/java/ql/lib/semmle/code/java/security/JWT.qll b/java/ql/lib/semmle/code/java/security/JWT.qll index 5ba47072dc68..c282d32ea099 100644 --- a/java/ql/lib/semmle/code/java/security/JWT.qll +++ b/java/ql/lib/semmle/code/java/security/JWT.qll @@ -44,9 +44,6 @@ class JwtParserWithInsecureParseSink extends ApiSinkNode { /** Gets the method access that does the insecure parsing. */ MethodCall getParseMethodCall() { result = insecureParseMa } - - /** DEPRECATED: Alias for `getParseMethodCall`. */ - deprecated MethodCall getParseMethodAccess() { result = this.getParseMethodCall() } } /** diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversal.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversal.qll index 32d366faa989..aaf578a6225f 100644 --- a/java/ql/lib/semmle/code/java/security/PartialPathTraversal.qll +++ b/java/ql/lib/semmle/code/java/security/PartialPathTraversal.qll @@ -58,6 +58,3 @@ class PartialPathTraversalMethodCall extends MethodCall { not isSafe(this.getArgument(0)) } } - -/** DEPRECATED: Alias for `PartialPathTraversalMethodCall`. */ -deprecated class PartialPathTraversalMethodAccess = PartialPathTraversalMethodCall; diff --git a/java/ql/lib/semmle/code/java/security/SensitiveActions.qll b/java/ql/lib/semmle/code/java/security/SensitiveActions.qll index a3fc00b19e39..2320afb8eef0 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveActions.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveActions.qll @@ -65,9 +65,6 @@ class SensitiveMethodCall extends SensitiveExpr, MethodCall { } } -/** DEPRECATED: Alias for `SensitiveMethodCall`. */ -deprecated class SensitiveMethodAccess = SensitiveMethodCall; - /** Access to a variable that might contain sensitive data. */ class SensitiveVarAccess extends SensitiveExpr, VarAccess { SensitiveVarAccess() { diff --git a/java/ql/lib/semmle/code/java/security/SensitiveApi.qll b/java/ql/lib/semmle/code/java/security/SensitiveApi.qll index d158fa4a92cc..559919f792ec 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveApi.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveApi.qll @@ -31,42 +31,3 @@ class UsernameSink extends CredentialsSinkNode { class CryptoKeySink extends CredentialsSinkNode { CryptoKeySink() { sinkNode(this, "credentials-key") } } - -/** - * DEPRECATED: Use the `PasswordSink` class instead. - * Holds if callable `c` from a standard Java API expects a password parameter at index `i`. - */ -deprecated predicate javaApiCallablePasswordParam(Callable c, int i) { - exists(PasswordSink sink, MethodCall mc | - sink.asExpr() = mc.getArgument(i) and c = mc.getCallee() - ) -} - -/** - * DEPRECATED: Use the `UsernameSink` class instead. - * Holds if callable `c` from a standard Java API expects a username parameter at index `i`. - */ -deprecated predicate javaApiCallableUsernameParam(Callable c, int i) { - exists(UsernameSink sink, MethodCall mc | - sink.asExpr() = mc.getArgument(i) and c = mc.getCallee() - ) -} - -/** - * DEPRECATED: Use the `CryptoKeySink` class instead. - * Holds if callable `c` from a standard Java API expects a cryptographic key parameter at index `i`. - */ -deprecated predicate javaApiCallableCryptoKeyParam(Callable c, int i) { - exists(CryptoKeySink sink, MethodCall mc | - sink.asExpr() = mc.getArgument(i) and c = mc.getCallee() - ) -} - -/** - * DEPRECATED: Use the `CredentialsSinkNode` class instead. - * Holds if callable `c` from a known API expects a credential parameter at index `i`. - */ -deprecated predicate otherApiCallableCredentialParam(Callable c, int i) { - c.hasQualifiedName("javax.crypto.spec", "IvParameterSpec", "IvParameterSpec") and - i = 0 -} diff --git a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll index f1ffcaecc515..97ae75988b3b 100644 --- a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll @@ -215,9 +215,6 @@ abstract class MethodCallInsecureFileCreation extends MethodCall { DataFlow::Node getNode() { result.asExpr() = this } } -/** DEPRECATED: Alias for `MethodCallInsecureFileCreation`. */ -deprecated class MethodAccessInsecureFileCreation = MethodCallInsecureFileCreation; - /** * An insecure call to `java.io.File.createTempFile`. */ @@ -236,9 +233,6 @@ class MethodCallInsecureFileCreateTempFile extends MethodCallInsecureFileCreatio override string getFileSystemEntityType() { result = "file" } } -/** DEPRECATED: Alias for `MethodCallInsecureFileCreateTempFile`. */ -deprecated class MethodAccessInsecureFileCreateTempFile = MethodCallInsecureFileCreateTempFile; - /** * The `com.google.common.io.Files.createTempDir` method. */ @@ -259,7 +253,3 @@ class MethodCallInsecureGuavaFilesCreateTempFile extends MethodCallInsecureFileC override string getFileSystemEntityType() { result = "directory" } } - -/** DEPRECATED: Alias for `MethodCallInsecureGuavaFilesCreateTempFile`. */ -deprecated class MethodAccessInsecureGuavaFilesCreateTempFile = - MethodCallInsecureGuavaFilesCreateTempFile; diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index cb76ee37c7be..b16770c222b8 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -240,9 +240,6 @@ class UnsafeDeserializationSink extends ApiSinkNode, DataFlow::ExprNode { /** Gets a call that triggers unsafe deserialization. */ MethodCall getMethodCall() { unsafeDeserialization(result, this.getExpr()) } - - /** DEPRECATED: Alias for `getMethodCall`. */ - deprecated MethodCall getMethodAccess() { result = this.getMethodCall() } } /** Holds if `node` is a sanitizer for unsafe deserialization */ diff --git a/java/ql/lib/semmle/code/java/security/XmlParsers.qll b/java/ql/lib/semmle/code/java/security/XmlParsers.qll index fc0b52b6f789..d470997e1be1 100644 --- a/java/ql/lib/semmle/code/java/security/XmlParsers.qll +++ b/java/ql/lib/semmle/code/java/security/XmlParsers.qll @@ -550,21 +550,10 @@ class XmlReaderConfig extends ParserConfig { } } -deprecated private module ExplicitlySafeXmlReaderFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ExplicitlySafeXmlReader } - - predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SafeXmlReaderFlowSink } - - int fieldFlowBranchLimit() { result = 0 } -} - private predicate explicitlySafeXmlReaderNode(DataFlow::Node src) { src.asExpr() instanceof ExplicitlySafeXmlReader } -deprecated private module ExplicitlySafeXmlReaderFlowDeprecated = - DataFlow::Global; - private module ExplicitlySafeXmlReaderFlow = DataFlow::SimpleGlobal; /** An argument to a safe XML reader. */ @@ -608,28 +597,12 @@ class ExplicitlySafeXmlReader extends VarAccess { ) ) } - - /** DEPRECATED. Holds if `SafeXmlReaderFlowSink` detects flow from this to `sink` */ - deprecated predicate flowsTo(SafeXmlReaderFlowSink sink) { - ExplicitlySafeXmlReaderFlowDeprecated::flow(DataFlow::exprNode(this), DataFlow::exprNode(sink)) - } -} - -deprecated private module CreatedSafeXmlReaderFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src.asExpr() instanceof CreatedSafeXmlReader } - - predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SafeXmlReaderFlowSink } - - int fieldFlowBranchLimit() { result = 0 } } private predicate createdSafeXmlReaderNode(DataFlow::Node src) { src.asExpr() instanceof CreatedSafeXmlReader } -deprecated private module CreatedSafeXmlReaderFlowDeprecated = - DataFlow::Global; - private module CreatedSafeXmlReaderFlow = DataFlow::SimpleGlobal; /** An `XmlReader` that is obtained from a safe source. */ @@ -651,11 +624,6 @@ class CreatedSafeXmlReader extends Call { package.matches("com.google.%common.xml.parsing") ) } - - /** DEPRECATED. Holds if `CreatedSafeXmlReaderFlowConfig` detects flow from this to `sink` */ - deprecated predicate flowsTo(SafeXmlReaderFlowSink sink) { - CreatedSafeXmlReaderFlowDeprecated::flow(DataFlow::exprNode(this), DataFlow::exprNode(sink)) - } } /* @@ -831,37 +799,10 @@ class TransformerFactoryConfig extends TransformerConfig { } } -/** - * DEPRECATED. - * - * A dataflow configuration that identifies `TransformerFactory` and `SAXTransformerFactory` - * instances that have been safely configured. - */ -deprecated module SafeTransformerFactoryFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeTransformerFactory } - - predicate isSink(DataFlow::Node sink) { - exists(MethodCall ma | - sink.asExpr() = ma.getQualifier() and - ma.getMethod().getDeclaringType() instanceof TransformerFactory - ) - } - - int fieldFlowBranchLimit() { result = 0 } -} - private predicate safeTransformerFactoryNode(DataFlow::Node src) { src.asExpr() instanceof SafeTransformerFactory } -/** - * DEPRECATED. - * - * Identifies `TransformerFactory` and `SAXTransformerFactory` - * instances that have been safely configured. - */ -deprecated module SafeTransformerFactoryFlow = DataFlow::Global; - private module SafeTransformerFactoryFlow2 = DataFlow::SimpleGlobal; /** A safely configured `TransformerFactory`. */ diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseType.qll b/java/ql/src/Likely Bugs/Resource Leaks/CloseType.qll index 53b213aa3be0..41239f249a27 100644 --- a/java/ql/src/Likely Bugs/Resource Leaks/CloseType.qll +++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseType.qll @@ -54,9 +54,6 @@ class SqlResourceOpeningMethodCall extends MethodCall { } } -/** DEPRECATED: Alias for `SqlResourceOpeningMethodCall`. */ -deprecated class SqlResourceOpeningMethodAccess = SqlResourceOpeningMethodCall; - /** * A candidate for a "closeable init" expression, which may require calling a "close" method. */ diff --git a/javascript/ql/lib/semmle/javascript/ES2015Modules.qll b/javascript/ql/lib/semmle/javascript/ES2015Modules.qll index cc84fb87324d..7a2c69e8b3c0 100644 --- a/javascript/ql/lib/semmle/javascript/ES2015Modules.qll +++ b/javascript/ql/lib/semmle/javascript/ES2015Modules.qll @@ -104,18 +104,6 @@ class ImportDeclaration extends Stmt, Import, @import_declaration { */ ObjectExpr getImportAttributes() { result = this.getChildExpr(-10) } - /** - * DEPRECATED: use `getImportAttributes` instead. - * Gets the object literal passed as part of the `with` (or `assert`) clause in this import declaration. - * - * For example, this gets the `{ type: "json" }` object literal in the following: - * ```js - * import foo from "foo" with { type: "json" }; - * import foo from "foo" assert { type: "json" }; - * ``` - */ - deprecated ObjectExpr getImportAssertion() { result = this.getImportAttributes() } - /** Gets the `i`th import specifier of this import declaration. */ ImportSpecifier getSpecifier(int i) { result = this.getChildExpr(i) } @@ -350,21 +338,6 @@ abstract class ExportDeclaration extends Stmt, @export_declaration { * ``` */ ObjectExpr getImportAttributes() { result = this.getChildExpr(-10) } - - /** - * DEPRECATED: use `getImportAttributes` instead. - * Gets the object literal passed as part of the `with` (or `assert`) clause, if this is - * a re-export declaration. - * - * For example, this gets the `{ type: "json" }` expression in each of the following: - * ```js - * export { x } from 'foo' with { type: "json" }; - * export * from 'foo' with { type: "json" }; - * export * as x from 'foo' with { type: "json" }; - * export * from 'foo' assert { type: "json" }; - * ``` - */ - deprecated ObjectExpr getImportAssertion() { result = this.getImportAttributes() } } /** diff --git a/javascript/ql/lib/semmle/javascript/Expr.qll b/javascript/ql/lib/semmle/javascript/Expr.qll index 0049c5f5aca7..4103321d580d 100644 --- a/javascript/ql/lib/semmle/javascript/Expr.qll +++ b/javascript/ql/lib/semmle/javascript/Expr.qll @@ -2830,17 +2830,6 @@ class DynamicImportExpr extends @dynamic_import, Expr, Import { */ Expr getImportOptions() { result = this.getChildExpr(1) } - /** - * DEPRECATED: use `getImportOptions` instead. - * Gets the second "argument" to the import expression, that is, the `Y` in `import(X, Y)`. - * - * For example, gets the `{ with: { type: "json" }}` expression in the following: - * ```js - * import('foo', { with: { type: "json" }}) - * ``` - */ - deprecated Expr getImportAttributes() { result = this.getImportOptions() } - override Module getEnclosingModule() { result = this.getTopLevel() } override DataFlow::Node getImportedModuleNode() { result = DataFlow::valueNode(this) } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll index 15d0fa151d7c..c3bc6f451941 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll @@ -39,19 +39,3 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig { * Taint tracking flow for sensitive information in broken or weak cryptographic algorithms. */ module BrokenCryptoAlgorithmFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `BrokenCryptoAlgorithmFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "BrokenCryptoAlgorithm" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll index c044d7b0cbc0..607ed8224990 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll @@ -38,24 +38,3 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig { * Taint tracking flow for storage of sensitive information in build artifact. */ module BuildArtifactLeakFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `BuildArtifactLeakFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "BuildArtifactLeak" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) { - source.(CleartextLogging::Source).getLabel() = lbl - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { - sink.(Sink).getLabel() = lbl - } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof CleartextLogging::Barrier } - - override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) { - CleartextLogging::isAdditionalTaintStep(src, trg) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll index 5dca4cf1df28..38ebc9eb53d5 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll @@ -15,22 +15,12 @@ module CleartextLogging { abstract class Source extends DataFlow::Node { /** Gets a string that describes the type of this data flow source. */ abstract string describe(); - - /** - * DEPRECATED. Overriding this predicate no longer has any effect. - */ - deprecated DataFlow::FlowLabel getLabel() { result.isTaint() } } /** * A data flow sink for clear-text logging of sensitive information. */ - abstract class Sink extends DataFlow::Node { - /** - * DEPRECATED. Overriding this predicate no longer has any effect. - */ - deprecated DataFlow::FlowLabel getLabel() { result.isTaint() } - } + abstract class Sink extends DataFlow::Node { } /** * A barrier for clear-text logging of sensitive information. @@ -198,15 +188,6 @@ module CleartextLogging { } } - /** - * DEPRECATED. Use `Barrier` instead, sanitized have been replaced by sanitized nodes. - * - * Holds if the edge `pred` -> `succ` should be sanitized for clear-text logging of sensitive information. - */ - deprecated predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) { - succ.(DataFlow::PropRead).getBase() = pred - } - /** * Holds if the edge `src` -> `trg` is an additional taint-step for clear-text logging of sensitive information. */ diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll index efed5ba46ab3..131904006ce7 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll @@ -49,24 +49,3 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig { * Taint tracking flow for clear-text logging of sensitive information. */ module CleartextLoggingFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `CleartextLoggingFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CleartextLogging" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) { - source.(Source).getLabel() = lbl - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { - sink.(Sink).getLabel() = lbl - } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier } - - override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) { - CleartextLogging::isAdditionalTaintStep(src, trg) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll index 0fbd576959e4..d285bb49d2a0 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll @@ -30,16 +30,3 @@ module ClearTextStorageConfig implements DataFlow::ConfigSig { } module ClearTextStorageFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `ClearTextStorageFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ClearTextStorage" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll index 155aaca59c1e..da4f68dd7d31 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll @@ -45,30 +45,3 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig { * Taint tracking for client-side request forgery. */ module ClientSideRequestForgeryFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `ClientSideRequestForgeryFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ClientSideRequestForgery" } - - override predicate isSource(DataFlow::Node source) { - exists(Source src | - source = src and - not src.isServerSide() - ) - } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) } - - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - isAdditionalRequestForgeryStep(pred, succ) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll index 526eaf1be361..cf377f43d46a 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll @@ -62,48 +62,3 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig { * Taint-tracking flow for reasoning about unvalidated URL redirections. */ module ClientSideUrlRedirectFlow = TaintTracking::GlobalWithState; - -/** - * A taint-tracking configuration for reasoning about unvalidated URL redirections. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ClientSideUrlRedirect" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) { - source.(Source).getAFlowLabel() = lbl - } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isSanitizerOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) } - - override predicate isAdditionalFlowStep( - DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1, - DataFlow::FlowLabel state2 - ) { - ClientSideUrlRedirectConfig::isAdditionalFlowStep(node1, FlowState::fromFlowLabel(state1), - node2, FlowState::fromFlowLabel(state2)) - or - // Preserve document.url label in step from `location` to `location.href` or `location.toString()` - state1 instanceof DocumentUrl and - state2 instanceof DocumentUrl and - ( - node2.(DataFlow::PropRead).accesses(node1, "href") - or - exists(DataFlow::CallNode call | - call.getCalleeName() = "toString" and - node1 = call.getReceiver() and - node2 = call - ) - ) - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof HostnameSanitizerGuard - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll index cc9b3f16a4fc..450c067f97ae 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll @@ -32,23 +32,3 @@ module CodeInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about code injection vulnerabilities. */ module CodeInjectionFlow = TaintTracking::Global; - -/** - * DEPRRECATED. Use the `CodeInjectionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CodeInjection" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { - CodeInjectionConfig::isAdditionalFlowStep(node1, node2) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll index 7c013e1f4ace..b7e08b412ed9 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll @@ -45,16 +45,3 @@ module CommandInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about command-injection vulnerabilities. */ module CommandInjectionFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `CommandInjectionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CommandInjection" } - - override predicate isSource(DataFlow::Node source) { CommandInjectionConfig::isSource(source) } - - override predicate isSink(DataFlow::Node sink) { CommandInjectionConfig::isSink(sink) } - - override predicate isSanitizer(DataFlow::Node node) { CommandInjectionConfig::isBarrier(node) } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll index 759a97291c35..59990d05e176 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll @@ -35,26 +35,6 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig { */ module ConditionalBypassFlow = TaintTracking::Global; -/** - * DEPRECATED. Use the `ConditionalBypassFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ConditionalBypass" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) { - ConditionalBypassConfig::isAdditionalFlowStep(src, dst) - } -} - /** * Holds if the value of `nd` flows into `guard`. */ @@ -149,61 +129,3 @@ predicate isEarlyAbortGuardNode(ConditionalBypassFlow::PathNode e, SensitiveActi not action.asExpr().getEnclosingStmt().nestedIn(guard) ) } - -/** - * Holds if `sink` guards `action`, and `source` taints `sink`. - * - * If flow from `source` taints `sink`, then an attacker can - * control if `action` should be executed or not. - */ -deprecated predicate isTaintedGuardForSensitiveAction( - DataFlow::PathNode sink, DataFlow::PathNode source, SensitiveAction action -) { - action = sink.getNode().(Sink).getAction() and - // exclude the intermediary sink - not sink.getNode() instanceof SensitiveActionGuardComparisonOperand and - exists(Configuration cfg | - // ordinary taint tracking to a guard - cfg.hasFlowPath(source, sink) - or - // taint tracking to both operands of a guard comparison - exists( - SensitiveActionGuardComparison cmp, DataFlow::PathNode lSource, DataFlow::PathNode rSource, - DataFlow::PathNode lSink, DataFlow::PathNode rSink - | - sink.getNode() = cmp.getGuard() and - cfg.hasFlowPath(lSource, lSink) and - lSink.getNode() = DataFlow::valueNode(cmp.getLeftOperand()) and - cfg.hasFlowPath(rSource, rSink) and - rSink.getNode() = DataFlow::valueNode(cmp.getRightOperand()) - | - source = lSource or - source = rSource - ) - ) -} - -/** - * Holds if `e` effectively guards access to `action` by returning or throwing early. - * - * Example: `if (e) return; action(x)`. - */ -deprecated predicate isEarlyAbortGuard(DataFlow::PathNode e, SensitiveAction action) { - exists(IfStmt guard | - // `e` is in the condition of an if-statement ... - e.getNode().(Sink).asExpr().getParentExpr*() = guard.getCondition() and - // ... where the then-branch always throws or returns - exists(Stmt abort | - abort instanceof ThrowStmt or - abort instanceof ReturnStmt - | - abort.nestedIn(guard) and - abort.getBasicBlock().(ReachableBasicBlock).postDominates(guard.getThen().getBasicBlock()) - ) and - // ... and the else-branch does not exist - not exists(guard.getElse()) - | - // ... and `action` is outside the if-statement - not action.asExpr().getEnclosingStmt().nestedIn(guard) - ) -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll index b74c16eb031f..c68c741bc837 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll @@ -37,23 +37,3 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig { * Data flow for CORS misconfiguration for credentials transfer. */ module CorsMisconfigurationFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `CorsMisconfigurationFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CorsMisconfigurationForCredentials" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll index ad03ad93b949..457d0c8112fa 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll @@ -52,33 +52,3 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig { */ module DeepObjectResourceExhaustionFlow = TaintTracking::GlobalWithState; - -/** - * DEPRECATED. Use the `DeepObjectResourceExhaustionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "DeepObjectResourceExhaustion" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - source.(Source).getAFlowLabel() = label - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - sink instanceof Sink and label = TaintedObject::label() - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof TaintedObject::SanitizerGuard - } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl - ) { - TaintedObject::step(src, trg, inlbl, outlbl) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll index b9f27c6a8c2e..73bd03d9b13d 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll @@ -322,13 +322,6 @@ module DomBasedXss { private class HtmlSanitizerAsSanitizer extends Sanitizer instanceof HtmlSanitizerCall { } - /** - * DEPRECATED. Use `isOptionallySanitizedNode` instead. - * - * Holds if there exists two dataflow edges to `succ`, where one edges is sanitized, and the other edge starts with `pred`. - */ - deprecated predicate isOptionallySanitizedEdge = isOptionallySanitizedEdgeInternal/2; - bindingset[call] pragma[inline_late] private SsaVariable getSanitizedSsaVariable(HtmlSanitizerCall call) { diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll index 36d5b3ba0a6b..5e30a5dafa14 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll @@ -122,40 +122,6 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig { */ module DomBasedXssFlow = TaintTracking::GlobalWithState; -/** - * DEPRECATED. Use the `DomBasedXssFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "HtmlInjection" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - DomBasedXssConfig::isSource(source, FlowState::fromFlowLabel(label)) - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - DomBasedXssConfig::isSink(sink, FlowState::fromFlowLabel(label)) - } - - override predicate isSanitizer(DataFlow::Node node) { DomBasedXssConfig::isBarrier(node) } - - override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) { - DomBasedXssConfig::isBarrier(node, FlowState::fromFlowLabel(lbl)) - } - - override predicate isAdditionalFlowStep( - DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1, - DataFlow::FlowLabel state2 - ) { - DomBasedXssConfig::isAdditionalFlowStep(node1, FlowState::fromFlowLabel(state1), node2, - FlowState::fromFlowLabel(state2)) - or - // inherit all ordinary taint steps for the prefix label - state1 = prefixLabel() and - state2 = prefixLabel() and - TaintTracking::sharedTaintStep(node1, node2) - } -} - private class PrefixStringSanitizerActivated extends PrefixStringSanitizer { PrefixStringSanitizerActivated() { this = this } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll index d7f4fe954f9c..a4b677d2946f 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll @@ -163,33 +163,3 @@ module ExceptionXssConfig implements DataFlow::StateConfigSig { * Taint-tracking for reasoning about XSS with possible exceptional flow. */ module ExceptionXssFlow = TaintTracking::GlobalWithState; - -/** - * DEPRECATED. Use the `ExceptionXssFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ExceptionXss" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - source.(Source).getAFlowLabel() = label - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - sink instanceof XssShared::Sink and not label instanceof NotYetThrown - } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof XssShared::Sanitizer } - - override predicate isAdditionalFlowStep( - DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl - ) { - ExceptionXssConfig::isAdditionalFlowStep(pred, FlowState::fromFlowLabel(inlbl), succ, - FlowState::fromFlowLabel(outlbl)) - or - // All the usual taint-flow steps apply on data-flow before it has been thrown in an exception. - // Note: this step is not needed in StateConfigSig module since flow states inherit taint steps. - this.isAdditionalFlowStep(pred, succ) and - inlbl instanceof NotYetThrown and - outlbl instanceof NotYetThrown - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll index 7972c379e874..dcf79522104e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll @@ -43,55 +43,6 @@ module ExternalAPIUsedWithUntrustedDataConfig implements DataFlow::ConfigSig { module ExternalAPIUsedWithUntrustedDataFlow = TaintTracking::Global; -/** - * Flow label for objects from which a tainted value is reachable. - * - * Only used by the legacy data-flow configuration, as the new data flow configuration - * uses `allowImplicitRead` to achieve this instead. - */ -deprecated private class ObjectWrapperFlowLabel extends DataFlow::FlowLabel { - ObjectWrapperFlowLabel() { this = "object-wrapper" } -} - -/** - * DEPRECATED. Use the `ExternalAPIUsedWithUntrustedDataFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ExternalAPIUsedWithUntrustedData" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { - sink instanceof Sink and - (lbl.isTaint() or lbl instanceof ObjectWrapperFlowLabel) - } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isAdditionalFlowStep( - DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel predLbl, - DataFlow::FlowLabel succLbl - ) { - // Step into an object and switch to the 'object-wrapper' label. - exists(DataFlow::PropWrite write | - pred = write.getRhs() and - succ = write.getBase().getALocalSource() and - (predLbl.isTaint() or predLbl instanceof ObjectWrapperFlowLabel) and - succLbl instanceof ObjectWrapperFlowLabel - ) - } - - override predicate isSanitizerIn(DataFlow::Node node) { - // Block flow from the location to its properties, as the relevant properties (hash and search) are taint sources of their own. - // The location source is only used for propagating through API calls like `new URL(location)` and into external APIs where - // the whole location object escapes. - node = DOM::locationRef().getAPropertyRead() - } -} - /** A node representing data being passed to an external API. */ class ExternalApiDataNode extends DataFlow::Node instanceof Sink { } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll index 21efb2b77702..6767baf8bb7b 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll @@ -32,27 +32,3 @@ module FileAccessToHttpConfig implements DataFlow::ConfigSig { * Taint tracking for file data in outbound network requests. */ module FileAccessToHttpFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `FileAccessToHttpFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "FileAccessToHttp" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - // taint entire object on property write - exists(DataFlow::PropWrite pwr | - succ = pwr.getBase() and - pred = pwr.getRhs() - ) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll index d589b3a15595..14e5d4f0ed55 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll @@ -77,25 +77,3 @@ module HardcodedCredentialsConfig implements DataFlow::ConfigSig { * Data flow for reasoning about hardcoded credentials. */ module HardcodedCredentials = DataFlow::Global; - -/** - * DEPRECATED. Use the `HardcodedCredentials` module instead. - */ -deprecated class Configuration extends DataFlow::Configuration { - Configuration() { this = "HardcodedCredentials" } - - override predicate isSource(DataFlow::Node source) { - HardcodedCredentialsConfig::isSource(source) - } - - override predicate isSink(DataFlow::Node sink) { HardcodedCredentialsConfig::isSink(sink) } - - override predicate isBarrier(DataFlow::Node node) { - super.isBarrier(node) or - HardcodedCredentialsConfig::isBarrier(node) - } - - override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) { - HardcodedCredentialsConfig::isAdditionalFlowStep(src, trg) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll index 0d33ee11876f..3d79fdd75536 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll @@ -43,20 +43,3 @@ module HardcodedDataInterpretedAsCodeConfig implements DataFlow::StateConfigSig */ module HardcodedDataInterpretedAsCodeFlow = DataFlow::GlobalWithState; - -/** - * DEPRECATED. Use the `HardcodedDataInterpretedAsCodeFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "HardcodedDataInterpretedAsCode" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) { - source.(Source).getLabel() = lbl - } - - override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) { - nd.(Sink).getLabel() = lbl - } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll index 4271ef3e9b68..07ecb1333b6f 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll @@ -25,14 +25,3 @@ module HostHeaderPoisoningConfig implements DataFlow::ConfigSig { * Taint tracking configuration host header poisoning. */ module HostHeaderPoisoningFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `HostHeaderPoisoningFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "TaintedHostHeader" } - - override predicate isSource(DataFlow::Node node) { HostHeaderPoisoningConfig::isSource(node) } - - override predicate isSink(DataFlow::Node node) { HostHeaderPoisoningConfig::isSink(node) } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll index 0525367d1e22..51992d4be471 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll @@ -25,19 +25,3 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig { * Taint tracking for writing user-controlled data to files. */ module HttpToFileAccessFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `HttpToFileAccessFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "HttpToFileAccess" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll index 1601208ed38e..1d65dc6d59e1 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll @@ -27,16 +27,3 @@ module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about improper code sanitization vulnerabilities. */ module ImproperCodeSanitizationFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `ImproperCodeSanitizationFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ImproperCodeSanitization" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll index 578c15635bbb..697f04c6c5cf 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll @@ -51,35 +51,3 @@ module IncompleteHtmlAttributeSanitizationConfig implements DataFlow::StateConfi */ module IncompleteHtmlAttributeSanitizationFlow = TaintTracking::GlobalWithState; - -/** - * DEPRECATED. Use the `IncompleteHtmlAttributeSanitizationFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "IncompleteHtmlAttributeSanitization" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - label = Label::characterToLabel(source.(Source).getAnUnsanitizedCharacter()) - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - label = Label::characterToLabel(sink.(Sink).getADangerousCharacter()) - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, - DataFlow::FlowLabel dstlabel - ) { - super.isAdditionalFlowStep(src, dst) and srclabel = dstlabel - } - - override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) { - lbl = Label::characterToLabel(node.(StringReplaceCall).getAReplacedString()) or - this.isSanitizer(node) - } - - override predicate isSanitizer(DataFlow::Node n) { - n instanceof Sanitizer or - super.isSanitizer(n) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll index 87d85911a1ba..bc993d7577ad 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll @@ -41,26 +41,3 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about command-injection vulnerabilities. */ module IndirectCommandInjectionFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `IndirectCommandInjectionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "IndirectCommandInjection" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - /** - * Holds if `sink` is a data-flow sink for command-injection vulnerabilities, and - * the alert should be placed at the node `highlight`. - */ - predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) { - sink instanceof Sink and highlight = sink - or - isIndirectCommandArgument(sink, highlight) - } - - override predicate isSink(DataFlow::Node sink) { this.isSinkWithHighlight(sink, _) } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll index ffcfead78961..156a0248c886 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll @@ -37,23 +37,3 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig { * Taint tracking for download of sensitive file through insecure connection. */ module InsecureDownloadFlow = DataFlow::GlobalWithState; - -/** - * DEPRECATED. Use the `InsecureDownload` module instead. - */ -deprecated class Configuration extends DataFlow::Configuration { - Configuration() { this = "InsecureDownload" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - InsecureDownloadConfig::isSource(source, FlowState::fromFlowLabel(label)) - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - InsecureDownloadConfig::isSink(sink, FlowState::fromFlowLabel(label)) - } - - override predicate isBarrier(DataFlow::Node node) { - super.isBarrier(node) or - InsecureDownloadConfig::isBarrier(node) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll index 1fa4cd272b3b..6b3b33968b4e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll @@ -48,28 +48,3 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig { * Taint tracking for random values that are not cryptographically secure. */ module InsecureRandomnessFlow = DataFlow::Global; - -/** - * DEPRECATED. Use the `InsecureRandomnessFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "InsecureRandomness" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - // not making use of `super.isSanitizer`: those sanitizers are not for this kind of data - node instanceof Sanitizer - } - - override predicate isSanitizerOut(DataFlow::Node node) { - // stop propagation at the sinks to avoid double reporting - this.isSink(node) - } - - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - InsecureRandomness::isAdditionalTaintStep(pred, succ) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll index ee2f1bb96d15..7127700b87bf 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll @@ -27,19 +27,3 @@ module InsecureTemporaryFileConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about insecure temporary file creation. */ module InsecureTemporaryFileFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `InsecureTemporaryFileFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "InsecureTemporaryFile" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll index c29592569880..fc9dd3ad9a24 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll @@ -33,19 +33,3 @@ module InsufficientPasswordHashConfig implements DataFlow::ConfigSig { * Taint tracking for password hashing with insufficient computational effort. */ module InsufficientPasswordHashFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `InsufficientPasswordHashFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "InsufficientPasswordHash" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll index 9f2060709059..9659b90f4359 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll @@ -37,19 +37,6 @@ module LogInjectionConfig implements DataFlow::ConfigSig { */ module LogInjectionFlow = TaintTracking::Global; -/** - * DEPRECATED. Use the `LogInjectionFlow` module instead. - */ -deprecated class LogInjectionConfiguration extends TaintTracking::Configuration { - LogInjectionConfiguration() { this = "LogInjection" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } -} - /** * A source of remote user controlled input. */ diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll index 522df62eca56..52e0e1a46da1 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll @@ -46,31 +46,3 @@ module LoopBoundInjectionConfig implements DataFlow::StateConfigSig { * Taint tracking configuration for reasoning about looping on tainted objects with unbounded length. */ module LoopBoundInjectionFlow = TaintTracking::GlobalWithState; - -/** - * DEPRECATED. Use the `LoopBoundInjectionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "LoopBoundInjection" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - source instanceof Source and label = TaintedObject::label() - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - sink instanceof Sink and label = TaintedObject::label() - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof TaintedObject::SanitizerGuard or - guard instanceof IsArraySanitizerGuard or - guard instanceof InstanceofArraySanitizerGuard or - guard instanceof LengthCheckSanitizerGuard - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl - ) { - TaintedObject::step(src, trg, inlbl, outlbl) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll index e7d93aabb977..f7e2c5a442ab 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll @@ -59,37 +59,3 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig { * Taint-tracking for reasoning about SQL-injection vulnerabilities. */ module NosqlInjectionFlow = DataFlow::GlobalWithState; - -/** - * DEPRECATED. Use the `NosqlInjectionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "NosqlInjection" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - TaintedObject::isSource(source, label) - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - sink.(Sink).getAFlowLabel() = label - } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof TaintedObject::SanitizerGuard - } - - override predicate isAdditionalFlowStep( - DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1, - DataFlow::FlowLabel state2 - ) { - NosqlInjectionConfig::isAdditionalFlowStep(node1, FlowState::fromFlowLabel(state1), node2, - FlowState::fromFlowLabel(state2)) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll index 188f2d20fd7f..aa8c7fcf0fa3 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll @@ -11,10 +11,6 @@ import javascript import PostMessageStarCustomizations::PostMessageStar // Materialize flow labels -deprecated private class ConcretePartiallyTaintedObject extends PartiallyTaintedObject { - ConcretePartiallyTaintedObject() { this = this } -} - /** * A taint tracking configuration for cross-window communication with unrestricted origin. * @@ -45,44 +41,3 @@ module PostMessageStarConfig implements DataFlow::ConfigSig { * A taint tracking configuration for cross-window communication with unrestricted origin. */ module PostMessageStarFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `PostMessageStarFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "PostMessageStar" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { - sink instanceof Sink and lbl = anyLabel() - } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl - ) { - // writing a tainted value to an object property makes the object partially tainted - exists(DataFlow::PropWrite write | - write.getRhs() = src and - inlbl = anyLabel() and - trg.(DataFlow::SourceNode).flowsTo(write.getBase()) and - outlbl instanceof PartiallyTaintedObject - ) - or - // `toString` or `JSON.toString` on a partially tainted object gives a tainted value - exists(DataFlow::InvokeNode toString | toString = trg | - toString.(DataFlow::MethodCallNode).calls(src, "toString") - or - src = toString.(JsonStringifyCall).getInput() - ) and - inlbl instanceof PartiallyTaintedObject and - outlbl.isTaint() - or - // `valueOf` preserves partial taint - trg.(DataFlow::MethodCallNode).calls(src, "valueOf") and - inlbl instanceof PartiallyTaintedObject and - outlbl = inlbl - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll index 96eed4cadc2b..076ebf6e9de0 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll @@ -140,78 +140,6 @@ predicate isIgnoredLibraryFlow(ExternalInputSource source, Sink sink) { ) } -/** - * DEPRECATED. Use the `PrototypePollutingAssignmentFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "PrototypePollutingAssignment" } - - override predicate isSource(DataFlow::Node node) { node instanceof Source } - - override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel lbl) { - node.(Sink).getAFlowLabel() = lbl - } - - override predicate isSanitizer(DataFlow::Node node) { - PrototypePollutingAssignmentConfig::isBarrier(node) - } - - override predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowLabel lbl) { - // Suppress the value-preserving step src -> dst in `extend(dst, src)`. This is modeled as a value-preserving - // step because it preserves all properties, but the destination is not actually Object.prototype. - node = any(ExtendCall call).getASourceOperand() and - lbl instanceof ObjectPrototype - } - - override predicate isAdditionalFlowStep( - DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl - ) { - PrototypePollutingAssignmentConfig::isAdditionalFlowStep(pred, FlowState::fromFlowLabel(inlbl), - succ, FlowState::fromFlowLabel(outlbl)) - } - - override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { - super.hasFlowPath(source, sink) and - // require that there is a path without unmatched return steps - DataFlow::hasPathWithoutUnmatchedReturn(source, sink) and - // filter away paths that start with library inputs and end with a write to a fixed property. - not exists(ExternalInputSource src, Sink snk, DataFlow::PropWrite write | - source.getNode() = src and sink.getNode() = snk - | - snk = write.getBase() and - ( - // fixed property name - exists(write.getPropertyName()) - or - // non-string property name (likely number) - exists(Expr prop | prop = write.getPropertyNameExpr() | - not prop.analyze().getAType() = TTString() - ) - ) - ) - } - - override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) { - super.isLabeledBarrier(node, lbl) - or - // Don't propagate into the receiver, as the method lookups will generally fail on Object.prototype. - node instanceof DataFlow::ThisNode and - lbl instanceof ObjectPrototype - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof PropertyPresenceCheck or - guard instanceof InExprCheck or - guard instanceof InstanceofCheck or - guard instanceof IsArrayCheck or - guard instanceof TypeofCheck or - guard instanceof NumberGuard or - guard instanceof EqualityCheck or - guard instanceof IncludesCheck or - guard instanceof DenyListInclusionGuard - } -} - /** Gets a data flow node referring to an object created with `Object.create`. */ DataFlow::SourceNode prototypeLessObject() { result = prototypeLessObject(DataFlow::TypeTracker::end()) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll index 86fbb1273d97..44cddc00f74a 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll @@ -13,13 +13,6 @@ import semmle.javascript.dependencies.SemVer import PrototypePollutionCustomizations::PrototypePollution // Materialize flow labels -/** - * We no longer use this flow label, since it does not work in a world where flow states inherit taint steps. - */ -deprecated private class ConcreteTaintedObjectWrapper extends TaintedObjectWrapper { - ConcreteTaintedObjectWrapper() { this = this } -} - /** * A taint tracking configuration for user-controlled objects flowing into deep `extend` calls, * leading to prototype pollution. @@ -65,36 +58,3 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig { * leading to prototype pollution. */ module PrototypePollutionFlow = TaintTracking::GlobalWithState; - -/** - * DEPRECATED. Use the `PrototypePollutionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "PrototypePollution" } - - override predicate isSource(DataFlow::Node node, DataFlow::FlowLabel label) { - node.(Source).getAFlowLabel() = label - } - - override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel label) { - node.(Sink).getAFlowLabel() = label - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl - ) { - TaintedObject::step(src, dst, inlbl, outlbl) - or - // Track objects are wrapped in other objects - exists(DataFlow::PropWrite write | - src = write.getRhs() and - inlbl = TaintedObject::label() and - dst = write.getBase().getALocalSource() and - outlbl = TaintedObjectWrapper::label() - ) - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) { - node instanceof TaintedObject::SanitizerGuard - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll index 55688d4b5ff9..3317d3c69fda 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll @@ -27,27 +27,6 @@ module ReflectedXssConfig implements DataFlow::ConfigSig { */ module ReflectedXssFlow = TaintTracking::Global; -/** - * DEPRECATED. Use the `ReflectedXssFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ReflectedXss" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof QuoteGuard or - guard instanceof ContainsHtmlGuard - } -} - private class QuoteGuard extends SharedXss::QuoteGuard { QuoteGuard() { this = this } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll index 606b0df62517..08d0b2caf6a7 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll @@ -27,19 +27,3 @@ module RegExpInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for untrusted user input used to construct regular expressions. */ module RegExpInjectionFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `RegExpInjectionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "RegExpInjection" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll index 8f1f174d8ecf..d8f1e4622177 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll @@ -31,20 +31,3 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about remote property injection. */ module RemotePropertyInjectionFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `RemotePropertyInjectionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "RemotePropertyInjection" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer or - node = StringConcatenation::getRoot(any(ConstantString str).flow()) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll index 2628fadedbf0..23f8f4bdd137 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll @@ -40,28 +40,3 @@ module RequestForgeryConfig implements DataFlow::ConfigSig { * Taint tracking for server-side request forgery. */ module RequestForgeryFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `RequestForgeryFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "RequestForgery" } - - override predicate isSource(DataFlow::Node source) { RequestForgeryConfig::isSource(source) } - - override predicate isSink(DataFlow::Node sink) { RequestForgeryConfig::isSink(sink) } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) - or - node instanceof Sanitizer - } - - override predicate isSanitizerOut(DataFlow::Node node) { - RequestForgeryConfig::isBarrierOut(node) - } - - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - RequestForgeryConfig::isAdditionalFlowStep(pred, succ) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll index cfad24432289..dcedce3049ae 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll @@ -36,31 +36,6 @@ module ResourceExhaustionConfig implements DataFlow::ConfigSig { */ module ResourceExhaustionFlow = TaintTracking::Global; -/** - * DEPRECATED. Use the `ResourceExhaustionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ResourceExhaustion" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer or - node = any(DataFlow::PropRead read | read.getPropertyName() = "length") - } - - override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) { - isNumericFlowStep(src, dst) - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof UpperBoundsCheckSanitizerGuard - } -} - /** Holds if data is converted to a number from `src` to `dst`. */ predicate isNumericFlowStep(DataFlow::Node src, DataFlow::Node dst) { exists(DataFlow::CallNode c | diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll index 0c5af5abd37c..41ae0563d9d8 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll @@ -56,32 +56,3 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig { */ module SecondOrderCommandInjectionFlow = DataFlow::GlobalWithState; - -/** - * DEPRECATED. Use the `SecondOrderCommandInjectionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "SecondOrderCommandInjection" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - source.(Source).getALabel() = label - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - sink.(Sink).getALabel() = label - } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof PrefixStringSanitizer or - guard instanceof DoubleDashSanitizer or - guard instanceof TaintedObject::SanitizerGuard - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl - ) { - TaintedObject::step(src, trg, inlbl, outlbl) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll index e889480b48b7..7ba27a362f86 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll @@ -39,35 +39,6 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig { */ module ServerSideUrlRedirectFlow = TaintTracking::Global; -/** - * DEPRECATED. Use the `ServerSideUrlRedirectFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ServerSideUrlRedirect" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isSanitizerOut(DataFlow::Node node) { - ServerSideUrlRedirectConfig::isBarrierOut(node) - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof LocalUrlSanitizingGuard or - guard instanceof HostnameSanitizerGuard - } - - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - ServerSideUrlRedirectConfig::isAdditionalFlowStep(pred, succ) - } -} - /** * A call to a function called `isLocalUrl` or similar, which is * considered to sanitize a variable for purposes of URL redirection. diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll index 1d396da5b20d..e74aa829340a 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll @@ -43,23 +43,3 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig */ module ShellCommandInjectionFromEnvironmentFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `ShellCommandInjectionFromEnvironmentFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ShellCommandInjectionFromEnvironment" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - /** Holds if `sink` is a command-injection sink with `highlight` as the corresponding alert location. */ - predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) { - sink instanceof Sink and highlight = sink - or - isIndirectCommandArgument(sink, highlight) - } - - override predicate isSink(DataFlow::Node sink) { this.isSinkWithHighlight(sink, _) } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll index 69dabac14680..85ae77d9d37b 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll @@ -39,23 +39,3 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about string based query injection vulnerabilities. */ module SqlInjectionFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `SqlInjectionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "SqlInjection" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - SqlInjectionConfig::isAdditionalFlowStep(pred, succ) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll index 254df5aabe6e..0295124f44c1 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll @@ -36,20 +36,3 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about stack trace exposure problems. */ module StackTraceExposureFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `StackTraceExposureFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "StackTraceExposure" } - - override predicate isSource(DataFlow::Node src) { src instanceof Source } - - override predicate isSanitizer(DataFlow::Node nd) { - super.isSanitizer(nd) - or - StackTraceExposureConfig::isBarrier(nd) - } - - override predicate isSink(DataFlow::Node snk) { snk instanceof Sink } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll index 48e186bd71e3..fa25fa1e58b8 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll @@ -27,27 +27,6 @@ module StoredXssConfig implements DataFlow::ConfigSig { */ module StoredXssFlow = TaintTracking::Global; -/** - * DEPRECATED. Use the `StoredXssFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "StoredXss" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof QuoteGuard or - guard instanceof ContainsHtmlGuard - } -} - private class QuoteGuard extends Shared::QuoteGuard { QuoteGuard() { this = this } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll index 55338477cb49..8ecdde85e768 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll @@ -27,19 +27,3 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig { * Taint-tracking for format injections. */ module TaintedFormatStringFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `TaintedFormatStringFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "TaintedFormatString" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll index dc23b895a4f6..e7961fdfa10b 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll @@ -69,8 +69,6 @@ module TaintedPath { } } - deprecated class BarrierGuardNode = BarrierGuard; - private newtype TFlowState = TPosixPath(FlowState::Normalization normalization, FlowState::Relativeness relativeness) or TSplitPath() diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll index 8b50a69cedce..6c601f294bf5 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll @@ -55,34 +55,3 @@ module TaintedPathConfig implements DataFlow::StateConfigSig { * Taint-tracking for reasoning about tainted-path vulnerabilities. */ module TaintedPathFlow = DataFlow::GlobalWithState; - -/** - * DEPRECATED. Use the `TaintedPathFlow` module instead. - */ -deprecated class Configuration extends DataFlow::Configuration { - Configuration() { this = "TaintedPath" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - label = source.(Source).getAFlowLabel() - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - label = sink.(Sink).getAFlowLabel() - } - - override predicate isBarrier(DataFlow::Node node) { - super.isBarrier(node) or - node instanceof Sanitizer - } - - override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) { - guard instanceof BarrierGuardNode - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, - DataFlow::FlowLabel dstlabel - ) { - isAdditionalTaintedPathFlowStep(src, dst, srclabel, dstlabel) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll index 348e59937b5e..659f7a952820 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll @@ -53,30 +53,3 @@ module TemplateObjectInjectionConfig implements DataFlow::StateConfigSig { * Taint tracking for reasoning about template object injection vulnerabilities. */ module TemplateObjectInjectionFlow = DataFlow::GlobalWithState; - -/** - * DEPRECATED. Use the `TemplateObjectInjectionFlow` module instead. - */ -deprecated class TemplateObjInjectionConfig extends TaintTracking::Configuration { - TemplateObjInjectionConfig() { this = "TemplateObjInjectionConfig" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - source.(Source).getAFlowLabel() = label - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - sink instanceof Sink and label = TaintedObject::label() - } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof TaintedObject::SanitizerGuard - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl - ) { - TaintedObject::step(src, trg, inlbl, outlbl) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll index 03e8c5c48ebb..28a86e7f69fe 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll @@ -59,25 +59,3 @@ private class IsArrayBarrier extends BarrierGuard, DataFlow::CallNode { outcome = [true, false] // separation between string/array removes type confusion in both branches } } - -/** - * DEPRECATED. Use the `TypeConfusionFlow` module instead. - */ -deprecated class Configuration extends DataFlow::Configuration { - Configuration() { this = "TypeConfusionThroughParameterTampering" } - - override predicate isSource(DataFlow::Node source) { TypeConfusionConfig::isSource(source) } - - override predicate isSink(DataFlow::Node sink) { TypeConfusionConfig::isSink(sink) } - - override predicate isBarrier(DataFlow::Node node) { - super.isBarrier(node) - or - node instanceof Barrier - } - - override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) { - guard instanceof TypeOfTestBarrier or - guard instanceof IsArrayBarrier - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll index e29d5d87a70f..92d7d6caf76b 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll @@ -46,33 +46,4 @@ module UnsafeCodeConstruction { * Taint-tracking for reasoning about unsafe code constructed from library input. */ module UnsafeCodeConstructionFlow = TaintTracking::Global; - - /** - * DEPRECATED. Use the `UnsafeCodeConstructionFlow` module instead. - */ - deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "UnsafeCodeConstruction" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof CodeInjection::Sanitizer - } - - override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) { - // HTML sanitizers are insufficient protection against code injection - src = trg.(HtmlSanitizerCall).getInput() - or - DataFlow::localFieldStep(src, trg) - } - - // override to require that there is a path without unmatched return steps - override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { - super.hasFlowPath(source, sink) and - DataFlow::hasPathWithoutUnmatchedReturn(source, sink) - } - } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll index b0621c6ac48e..75af7cd4d86d 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll @@ -26,19 +26,3 @@ module UnsafeDeserializationConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about unsafe deserialization. */ module UnsafeDeserializationFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `UnsafeDeserializationFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "UnsafeDeserialization" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll index 423b50f17f70..dc468762c936 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll @@ -83,39 +83,3 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig { * Taint-tracking for reasoning about unsafe dynamic method access. */ module UnsafeDynamicMethodAccessFlow = DataFlow::GlobalWithState; - -/** - * DEPRECATED. Use the `UnsafeDynamicMethodAccessFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "UnsafeDynamicMethodAccess" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - UnsafeDynamicMethodAccessConfig::isSource(source, FlowState::fromFlowLabel(label)) - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - UnsafeDynamicMethodAccessConfig::isSink(sink, FlowState::fromFlowLabel(label)) - } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) - or - UnsafeDynamicMethodAccessConfig::isBarrier(node) - } - - /** - * Holds if a property of the given object is an unsafe function. - */ - predicate hasUnsafeMethods(DataFlow::SourceNode node) { - PropertyInjection::hasUnsafeMethods(node) // Redefined here so custom queries can override it - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, - DataFlow::FlowLabel dstlabel - ) { - UnsafeDynamicMethodAccessConfig::additionalFlowStep(src, FlowState::fromFlowLabel(srclabel), - dst, FlowState::fromFlowLabel(dstlabel)) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll index 913329813c1b..3c962c3814e2 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll @@ -9,9 +9,6 @@ private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizati import UnsafeHtmlConstructionCustomizations::UnsafeHtmlConstruction import semmle.javascript.security.TaintedObject -/** DEPRECATED: Mis-spelled class name, alias for Configuration. */ -deprecated class Configration = Configuration; - /** * A taint-tracking configuration for reasoning about unsafe HTML constructed from library input vulnerabilities. */ diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll index 75eeaf20cfaa..245d75b35334 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll @@ -51,47 +51,6 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig { */ module UnsafeJQueryPluginFlow = TaintTracking::Global; -/** - * DEPRECATED. Use the `UnsafeJQueryPluginFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "UnsafeJQueryPlugin" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) - or - node instanceof DomBasedXss::Sanitizer - or - node instanceof Sanitizer - } - - override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) { - // jQuery plugins tend to be implemented as classes that store data in fields initialized by the constructor. - DataFlow::localFieldStep(src, sink) or - aliasPropertyPresenceStep(src, sink) - } - - override predicate isSanitizerOut(DataFlow::Node node) { - // prefixing prevents forced html/css confusion: - // prefixing through concatenation: - StringConcatenation::taintStep(node, _, _, any(int i | i >= 1)) - or - // prefixing through a poor-mans templating system: - node = any(StringReplaceCall call).getRawReplacement() - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) { - super.isSanitizerGuard(node) or - node instanceof IsElementSanitizer or - node instanceof PropertyPresenceSanitizer or - node instanceof NumberGuard - } -} - /** * Holds if there is a taint-step from `src` to `sink`, * where `src` is a property read that acts as a sanitizer for the base, diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll index e006c2a2f498..2b1a340b8e62 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll @@ -42,33 +42,3 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig { */ module UnsafeShellCommandConstructionFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `UnsafeShellCommandConstructionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "UnsafeShellCommandConstruction" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof PathExistsSanitizerGuard or - guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer or - guard instanceof NumberGuard or - guard instanceof TypeOfSanitizer - } - - // override to require that there is a path without unmatched return steps - override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { - super.hasFlowPath(source, sink) and - DataFlow::hasPathWithoutUnmatchedReturn(source, sink) - } - - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - DataFlow::localFieldStep(pred, succ) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll index e516167a30b4..4a0b1865ece0 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll @@ -92,18 +92,6 @@ module UnvalidatedDynamicMethodCall { /** DEPRECATED. Use `getAFlowState()` instead. */ deprecated DataFlow::FlowLabel getFlowLabel() { result = this.getAFlowState().toFlowLabel() } - - /** - * DEPRECATED. Use sanitizer nodes instead. - * - * This predicate no longer has any effect. The `this` value of `Sanitizer` is instead - * treated as a sanitizing node, that is, flow in and out of that node is prohibited. - */ - deprecated predicate sanitizes( - DataFlow::Node source, DataFlow::Node sink, DataFlow::FlowLabel lbl - ) { - none() - } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll index 7b6a6124edaf..8cf5279fe42f 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll @@ -100,37 +100,3 @@ module UnvalidatedDynamicMethodCallConfig implements DataFlow::StateConfigSig { */ module UnvalidatedDynamicMethodCallFlow = DataFlow::GlobalWithState; - -/** - * DEPRECATED. Use the `UnvalidatedDynamicMethodCallFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "UnvalidatedDynamicMethodCall" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - source.(Source).getFlowLabel() = label - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - sink.(Sink).getFlowLabel() = label - } - - override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel label) { - super.isLabeledBarrier(node, label) - or - node.(Sanitizer).getFlowLabel() = label - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof NumberGuard or - guard instanceof FunctionCheck - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, - DataFlow::FlowLabel dstlabel - ) { - UnvalidatedDynamicMethodCallConfig::isAdditionalFlowStep(src, - FlowState::fromFlowLabel(srclabel), dst, FlowState::fromFlowLabel(dstlabel)) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll index 99f5874cf578..ae469c3e5755 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll @@ -27,19 +27,3 @@ module XmlBombConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about XML-bomb vulnerabilities. */ module XmlBombFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `XmlBombFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "XmlBomb" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll index fcae5a0eb767..991d7b3f6fc3 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll @@ -28,19 +28,3 @@ module XpathInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for untrusted user input used in XPath expression. */ module XpathInjectionFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `XpathInjectionFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "XpathInjection" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll index a9292bbdd4d8..a803362ad11d 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll @@ -46,46 +46,6 @@ predicate isIgnoredSourceSinkPair(Source source, DomBasedXss::Sink sink) { sink instanceof DomBasedXss::WriteUrlSink } -/** - * DEPRECATED. Use the `XssThroughDomFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "XssThroughDOM" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof DomBasedXss::Sanitizer or - DomBasedXss::isOptionallySanitizedNode(node) - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof TypeTestGuard or - guard instanceof UnsafeJQuery::PropertyPresenceSanitizer or - guard instanceof UnsafeJQuery::NumberGuard or - guard instanceof PrefixStringSanitizer or - guard instanceof QuoteGuard or - guard instanceof ContainsHtmlGuard - } - - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - succ = DataFlow::globalVarRef("URL").getAMemberCall("createObjectURL") and - pred = succ.(DataFlow::InvokeNode).getArgument(0) - } - - override predicate hasFlowPath(DataFlow::SourcePathNode src, DataFlow::SinkPathNode sink) { - super.hasFlowPath(src, sink) and - // filtering away readings of `src` that end in a URL sink. - not ( - sink.getNode() instanceof DomBasedXss::WriteUrlSink and - src.getNode().(DomPropertySource).getPropertyName() = "src" - ) - } -} - /** A test for the value of `typeof x`, restricting the potential types of `x`. */ class TypeTestGuard extends BarrierGuard, DataFlow::ValueNode { override EqualityTest astNode; diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll index 616768030a36..191e263fa520 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll @@ -27,19 +27,3 @@ module XxeConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about XXE vulnerabilities. */ module XxeFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `XxeFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "Xxe" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll index b59a78462b8c..7c6a34563b8c 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll @@ -50,33 +50,3 @@ module ZipSlipConfig implements DataFlow::StateConfigSig { /** A taint tracking configuration for unsafe archive extraction. */ module ZipSlipFlow = DataFlow::GlobalWithState; - -/** A taint tracking configuration for unsafe archive extraction. */ -deprecated class Configuration extends DataFlow::Configuration { - Configuration() { this = "ZipSlip" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - label = source.(Source).getAFlowLabel() - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - label = sink.(Sink).getAFlowLabel() - } - - override predicate isBarrier(DataFlow::Node node) { - super.isBarrier(node) or - node instanceof TaintedPath::Sanitizer - } - - override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) { - guard instanceof TaintedPath::BarrierGuardNode - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, - DataFlow::FlowLabel dstlabel - ) { - ZipSlipConfig::isAdditionalFlowStep(src, TaintedPath::FlowState::fromFlowLabel(srclabel), dst, - TaintedPath::FlowState::fromFlowLabel(dstlabel)) - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll index d1baf9c45230..2fc23b4b234b 100644 --- a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll @@ -39,34 +39,3 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig { /** Taint-tracking for reasoning about polynomial regular expression denial-of-service attacks. */ module PolynomialReDoSFlow = TaintTracking::Global; - -/** - * DEPRECATED. Use the `PolynomialReDoSFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "PolynomialReDoS" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) { - super.isSanitizerGuard(node) or - node instanceof LengthGuard - } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof Sanitizer - } - - override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { - super.hasFlowPath(source, sink) and - // require that there is a path without unmatched return steps - DataFlow::hasPathWithoutUnmatchedReturn(source, sink) - } - - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - DataFlow::localFieldStep(pred, succ) - } -} diff --git a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll index 380f594c21e3..3b474f6d0a0c 100644 --- a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll +++ b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll @@ -34,13 +34,6 @@ module SsrfConfig implements DataFlow::ConfigSig { module SsrfFlow = TaintTracking::Global; -/** - * DEPRECATED. Use the `SsrfFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "SSRF" } -} - /** * A sanitizer for ternary operators. * diff --git a/javascript/ql/test/library-tests/frameworks/Templating/XssDiff.ql b/javascript/ql/test/library-tests/frameworks/Templating/XssDiff.ql index 66f34f2e4226..53de286bcdd0 100644 --- a/javascript/ql/test/library-tests/frameworks/Templating/XssDiff.ql +++ b/javascript/ql/test/library-tests/frameworks/Templating/XssDiff.ql @@ -2,7 +2,4 @@ import javascript import semmle.javascript.security.dataflow.DomBasedXssQuery deprecated import utils.test.LegacyDataFlowDiff -deprecated query predicate legacyDataFlowDifference = - DataFlowDiff::legacyDataFlowDifference/3; - query predicate flow = DomBasedXssFlow::flow/2; diff --git a/python/ql/lib/semmle/python/dataflow/new/TypeTracker.qll b/python/ql/lib/semmle/python/dataflow/new/TypeTracker.qll index 6def6b0b5233..ed025ab4eb11 100644 --- a/python/ql/lib/semmle/python/dataflow/new/TypeTracker.qll +++ b/python/ql/lib/semmle/python/dataflow/new/TypeTracker.qll @@ -8,63 +8,3 @@ private import python private import internal.TypeTracker as Internal private import internal.TypeTrackerSpecific as InternalSpecific - -/** A string that may appear as the name of an attribute or access path. */ -deprecated class AttributeName = InternalSpecific::TypeTrackerContent; - -/** An attribute name, or the empty string (representing no attribute). */ -deprecated class OptionalAttributeName = InternalSpecific::OptionalTypeTrackerContent; - -/** - * DEPRECATED: Use `semmle.python.dataflow.new.TypeTracking` instead. - * - * The summary of the steps needed to track a value to a given dataflow node. - * - * This can be used to track objects that implement a certain API in order to - * recognize calls to that API. Note that type-tracking does not by itself provide a - * source/sink relation, that is, it may determine that a node has a given type, - * but it won't determine where that type came from. - * - * It is recommended that all uses of this type are written in the following form, - * for tracking some type `myType`: - * ```ql - * DataFlow::TypeTrackingNode myType(DataFlow::TypeTracker t) { - * t.start() and - * result = < source of myType > - * or - * exists (DataFlow::TypeTracker t2 | - * result = myType(t2).track(t2, t) - * ) - * } - * - * DataFlow::LocalSourceNode myType() { myType(DataFlow::TypeTracker::end()) } - * ``` - * - * Instead of `result = myType(t2).track(t2, t)`, you can also use the equivalent - * `t = t2.step(myType(t2), result)`. If you additionally want to track individual - * intra-procedural steps, use `t = t2.smallstep(myCallback(t2), result)`. - */ -deprecated class TypeTracker extends Internal::TypeTracker { - /** - * Holds if this is the starting point of type tracking, and the value starts in the attribute named `attrName`. - * The type tracking only ends after the attribute has been loaded. - */ - predicate startInAttr(string attrName) { this.startInContent(attrName) } - - /** - * INTERNAL. DO NOT USE. - * - * Gets the attribute associated with this type tracker. - */ - string getAttr() { result = this.getContent() } -} - -deprecated module TypeTracker = Internal::TypeTracker; - -deprecated class StepSummary = Internal::StepSummary; - -deprecated module StepSummary = Internal::StepSummary; - -deprecated class TypeBackTracker = Internal::TypeBackTracker; - -deprecated module TypeBackTracker = Internal::TypeBackTracker; diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll index 01c881b23169..3201cb9a3853 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll @@ -4,954 +4,6 @@ private import TypeTrackerSpecific private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic cached -private module Cached { - /** - * A description of a step on an inter-procedural data flow path. - */ - cached - deprecated newtype TStepSummary = - LevelStep() or - CallStep() or - ReturnStep() or - deprecated StoreStep(TypeTrackerContent content) { - exists(DataFlowPublic::AttributeContent dfc | dfc.getAttribute() = content | - basicStoreStep(_, _, dfc) - ) - } or - deprecated LoadStep(TypeTrackerContent content) { - exists(DataFlowPublic::AttributeContent dfc | dfc.getAttribute() = content | - basicLoadStep(_, _, dfc) - ) - } or - deprecated LoadStoreStep(TypeTrackerContent load, TypeTrackerContent store) { - exists(DataFlowPublic::AttributeContent dfcLoad, DataFlowPublic::AttributeContent dfcStore | - dfcLoad.getAttribute() = load and dfcStore.getAttribute() = store - | - basicLoadStoreStep(_, _, dfcLoad, dfcStore) - ) - } or - deprecated WithContent(ContentFilter filter) { basicWithContentStep(_, _, filter) } or - deprecated WithoutContent(ContentFilter filter) { basicWithoutContentStep(_, _, filter) } or - JumpStep() - - cached - deprecated newtype TTypeTracker = - deprecated MkTypeTracker(Boolean hasCall, OptionalTypeTrackerContent content) { - content = noContent() - or - // Restrict `content` to those that might eventually match a load. - // We can't rely on `basicStoreStep` since `startInContent` might be used with - // a content that has no corresponding store. - exists(DataFlowPublic::AttributeContent loadContents | - ( - basicLoadStep(_, _, loadContents) - or - basicLoadStoreStep(_, _, loadContents, _) - ) and - compatibleContents(content, loadContents.getAttribute()) - ) - } - - cached - deprecated newtype TTypeBackTracker = - deprecated MkTypeBackTracker(Boolean hasReturn, OptionalTypeTrackerContent content) { - content = noContent() - or - // As in MkTypeTracker, restrict `content` to those that might eventually match a store. - exists(DataFlowPublic::AttributeContent storeContent | - ( - basicStoreStep(_, _, storeContent) - or - basicLoadStoreStep(_, _, _, storeContent) - ) and - compatibleContents(storeContent.getAttribute(), content) - ) - } - - /** Gets a type tracker with no content and the call bit set to the given value. */ - cached - deprecated TypeTracker noContentTypeTracker(boolean hasCall) { - result = MkTypeTracker(hasCall, noContent()) - } - - /** Gets the summary resulting from appending `step` to type-tracking summary `tt`. */ - cached - deprecated TypeTracker append(TypeTracker tt, StepSummary step) { - exists(Boolean hasCall, OptionalTypeTrackerContent currentContents | - tt = MkTypeTracker(hasCall, currentContents) - | - step = LevelStep() and result = tt - or - step = CallStep() and result = MkTypeTracker(true, currentContents) - or - step = ReturnStep() and hasCall = false and result = tt - or - step = JumpStep() and - result = MkTypeTracker(false, currentContents) - or - exists(ContentFilter filter | result = tt | - step = WithContent(filter) and - currentContents = filter.getAMatchingContent() - or - step = WithoutContent(filter) and - not currentContents = filter.getAMatchingContent() - ) - ) - or - exists(TypeTrackerContent storeContents, boolean hasCall | - exists(TypeTrackerContent loadContents | - step = LoadStep(pragma[only_bind_into](loadContents)) and - tt = MkTypeTracker(hasCall, storeContents) and - compatibleContents(storeContents, loadContents) and - result = noContentTypeTracker(hasCall) - ) - or - step = StoreStep(pragma[only_bind_into](storeContents)) and - tt = noContentTypeTracker(hasCall) and - result = MkTypeTracker(hasCall, storeContents) - ) - or - exists( - TypeTrackerContent currentContent, TypeTrackerContent store, TypeTrackerContent load, - boolean hasCall - | - step = LoadStoreStep(pragma[only_bind_into](load), pragma[only_bind_into](store)) and - compatibleContents(pragma[only_bind_into](currentContent), load) and - tt = MkTypeTracker(pragma[only_bind_into](hasCall), currentContent) and - result = MkTypeTracker(pragma[only_bind_out](hasCall), store) - ) - } - - pragma[nomagic] - deprecated private TypeBackTracker noContentTypeBackTracker(boolean hasReturn) { - result = MkTypeBackTracker(hasReturn, noContent()) - } - - /** Gets the summary resulting from prepending `step` to this type-tracking summary. */ - cached - deprecated TypeBackTracker prepend(TypeBackTracker tbt, StepSummary step) { - exists(Boolean hasReturn, OptionalTypeTrackerContent content | - tbt = MkTypeBackTracker(hasReturn, content) - | - step = LevelStep() and result = tbt - or - step = CallStep() and hasReturn = false and result = tbt - or - step = ReturnStep() and result = MkTypeBackTracker(true, content) - or - step = JumpStep() and - result = MkTypeBackTracker(false, content) - or - exists(ContentFilter filter | result = tbt | - step = WithContent(filter) and - content = filter.getAMatchingContent() - or - step = WithoutContent(filter) and - not content = filter.getAMatchingContent() - ) - ) - or - exists(TypeTrackerContent loadContents, boolean hasReturn | - exists(TypeTrackerContent storeContents | - step = StoreStep(pragma[only_bind_into](storeContents)) and - tbt = MkTypeBackTracker(hasReturn, loadContents) and - compatibleContents(storeContents, loadContents) and - result = noContentTypeBackTracker(hasReturn) - ) - or - step = LoadStep(pragma[only_bind_into](loadContents)) and - tbt = noContentTypeBackTracker(hasReturn) and - result = MkTypeBackTracker(hasReturn, loadContents) - ) - or - exists( - TypeTrackerContent currentContent, TypeTrackerContent store, TypeTrackerContent load, - boolean hasCall - | - step = LoadStoreStep(pragma[only_bind_into](load), pragma[only_bind_into](store)) and - compatibleContents(store, pragma[only_bind_into](currentContent)) and - tbt = MkTypeBackTracker(pragma[only_bind_into](hasCall), currentContent) and - result = MkTypeBackTracker(pragma[only_bind_out](hasCall), load) - ) - } - - /** - * Gets the summary that corresponds to having taken a forwards - * heap and/or intra-procedural step from `nodeFrom` to `nodeTo`. - * - * Steps contained in this predicate should _not_ depend on the call graph. - */ - cached - deprecated predicate stepNoCall( - TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo, StepSummary summary - ) { - exists(Node mid | nodeFrom.flowsTo(mid) and smallstepNoCall(mid, nodeTo, summary)) - } - - /** - * Gets the summary that corresponds to having taken a forwards - * inter-procedural step from `nodeFrom` to `nodeTo`. - */ - cached - deprecated predicate stepCall( - TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo, StepSummary summary - ) { - exists(Node mid | nodeFrom.flowsTo(mid) and smallstepCall(mid, nodeTo, summary)) - } - - cached - deprecated predicate smallstepNoCall(Node nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) { - jumpStep(nodeFrom, nodeTo) and - summary = JumpStep() - or - levelStepNoCall(nodeFrom, nodeTo) and - summary = LevelStep() - or - exists(TypeTrackerContent content | - flowsToStoreStep(nodeFrom, nodeTo, content) and - summary = StoreStep(content) - or - exists(DataFlowPublic::AttributeContent dfc | dfc.getAttribute() = content | - basicLoadStep(nodeFrom, nodeTo, dfc) - ) and - summary = LoadStep(content) - ) - or - exists(TypeTrackerContent loadContent, TypeTrackerContent storeContent | - flowsToLoadStoreStep(nodeFrom, nodeTo, loadContent, storeContent) and - summary = LoadStoreStep(loadContent, storeContent) - ) - or - exists(ContentFilter filter | - basicWithContentStep(nodeFrom, nodeTo, filter) and - summary = WithContent(filter) - or - basicWithoutContentStep(nodeFrom, nodeTo, filter) and - summary = WithoutContent(filter) - ) - } - - cached - deprecated predicate smallstepCall(Node nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) { - callStep(nodeFrom, nodeTo) and summary = CallStep() - or - returnStep(nodeFrom, nodeTo) and - summary = ReturnStep() - or - levelStepCall(nodeFrom, nodeTo) and - summary = LevelStep() - } -} +private module Cached { } private import Cached - -deprecated private predicate step( - TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo, StepSummary summary -) { - stepNoCall(nodeFrom, nodeTo, summary) - or - stepCall(nodeFrom, nodeTo, summary) -} - -pragma[nomagic] -deprecated private predicate stepProj(TypeTrackingNode nodeFrom, StepSummary summary) { - step(nodeFrom, _, summary) -} - -deprecated private predicate smallstep(Node nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) { - smallstepNoCall(nodeFrom, nodeTo, summary) - or - smallstepCall(nodeFrom, nodeTo, summary) -} - -pragma[nomagic] -deprecated private predicate smallstepProj(Node nodeFrom, StepSummary summary) { - smallstep(nodeFrom, _, summary) -} - -/** - * Holds if `nodeFrom` is being written to the `content` of the object in `nodeTo`. - * - * Note that `nodeTo` will always be a local source node that flows to the place where the content - * is written in `basicStoreStep`. This may lead to the flow of information going "back in time" - * from the point of view of the execution of the program. - * - * For instance, if we interpret attribute writes in Python as writing to content with the same - * name as the attribute and consider the following snippet - * - * ```python - * def foo(y): - * x = Foo() - * bar(x) - * x.attr = y - * baz(x) - * - * def bar(x): - * z = x.attr - * ``` - * for the attribute write `x.attr = y`, we will have `content` being the literal string `"attr"`, - * `nodeFrom` will be `y`, and `nodeTo` will be the object `Foo()` created on the first line of the - * function. This means we will track the fact that `x.attr` can have the type of `y` into the - * assignment to `z` inside `bar`, even though this attribute write happens _after_ `bar` is called. - */ -deprecated private predicate flowsToStoreStep( - Node nodeFrom, TypeTrackingNode nodeTo, TypeTrackerContent content -) { - exists(Node obj | - nodeTo.flowsTo(obj) and - exists(DataFlowPublic::AttributeContent dfc | dfc.getAttribute() = content | - basicStoreStep(nodeFrom, obj, dfc) - ) - ) -} - -/** - * Holds if `loadContent` is loaded from `nodeFrom` and written to `storeContent` of `nodeTo`. - */ -deprecated private predicate flowsToLoadStoreStep( - Node nodeFrom, TypeTrackingNode nodeTo, TypeTrackerContent loadContent, - TypeTrackerContent storeContent -) { - exists(Node obj | - nodeTo.flowsTo(obj) and - exists(DataFlowPublic::AttributeContent loadDfc, DataFlowPublic::AttributeContent storeDfc | - loadDfc.getAttribute() = loadContent and storeDfc.getAttribute() = storeContent - | - basicLoadStoreStep(nodeFrom, obj, loadDfc, storeDfc) - ) - ) -} - -/** - * INTERNAL: Use `TypeTracker` or `TypeBackTracker` instead. - * - * A description of a step on an inter-procedural data flow path. - */ -deprecated class StepSummary extends TStepSummary { - /** Gets a textual representation of this step summary. */ - string toString() { - this instanceof LevelStep and result = "level" - or - this instanceof CallStep and result = "call" - or - this instanceof ReturnStep and result = "return" - or - exists(TypeTrackerContent content | this = StoreStep(content) | result = "store " + content) - or - exists(TypeTrackerContent content | this = LoadStep(content) | result = "load " + content) - or - exists(TypeTrackerContent load, TypeTrackerContent store | - this = LoadStoreStep(load, store) and - result = "load-store " + load + " -> " + store - ) - or - this instanceof JumpStep and result = "jump" - } -} - -/** Provides predicates for updating step summaries (`StepSummary`s). */ -deprecated module StepSummary { - predicate append = Cached::append/2; - - /** - * Gets the summary that corresponds to having taken a forwards - * inter-procedural step from `nodeFrom` to `nodeTo`. - * - * This predicate should normally not be used; consider using `step` - * instead. - */ - predicate stepCall = Cached::stepCall/3; - - /** - * Gets the summary that corresponds to having taken a forwards - * intra-procedural step from `nodeFrom` to `nodeTo`. - * - * This predicate should normally not be used; consider using `step` - * instead. - */ - predicate stepNoCall = Cached::stepNoCall/3; - - /** - * Gets the summary that corresponds to having taken a forwards - * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`. - */ - predicate step(TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) { - stepNoCall(nodeFrom, nodeTo, summary) - or - stepCall(nodeFrom, nodeTo, summary) - } - - /** - * Gets the summary that corresponds to having taken a forwards - * inter-procedural step from `nodeFrom` to `nodeTo`. - * - * This predicate should normally not be used; consider using `step` - * instead. - */ - predicate smallstepNoCall = Cached::smallstepNoCall/3; - - /** - * Gets the summary that corresponds to having taken a forwards - * intra-procedural step from `nodeFrom` to `nodeTo`. - * - * This predicate should normally not be used; consider using `step` - * instead. - */ - predicate smallstepCall = Cached::smallstepCall/3; - - /** - * Gets the summary that corresponds to having taken a forwards - * local, heap and/or inter-procedural step from `nodeFrom` to `nodeTo`. - * - * Unlike `StepSummary::step`, this predicate does not compress - * type-preserving steps. - */ - predicate smallstep(Node nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) { - smallstepNoCall(nodeFrom, nodeTo, summary) - or - smallstepCall(nodeFrom, nodeTo, summary) - } - - /** Gets the step summary for a level step. */ - StepSummary levelStep() { result = LevelStep() } - - /** Gets the step summary for a call step. */ - StepSummary callStep() { result = CallStep() } - - /** Gets the step summary for a return step. */ - StepSummary returnStep() { result = ReturnStep() } - - /** Gets the step summary for storing into `content`. */ - StepSummary storeStep(TypeTrackerContent content) { result = StoreStep(content) } - - /** Gets the step summary for loading from `content`. */ - StepSummary loadStep(TypeTrackerContent content) { result = LoadStep(content) } - - /** Gets the step summary for loading from `load` and then storing into `store`. */ - StepSummary loadStoreStep(TypeTrackerContent load, TypeTrackerContent store) { - result = LoadStoreStep(load, store) - } - - /** Gets the step summary for a step that only permits contents matched by `filter`. */ - StepSummary withContent(ContentFilter filter) { result = WithContent(filter) } - - /** Gets the step summary for a step that blocks contents matched by `filter`. */ - StepSummary withoutContent(ContentFilter filter) { result = WithoutContent(filter) } - - /** Gets the step summary for a jump step. */ - StepSummary jumpStep() { result = JumpStep() } -} - -/** - * DEPRECATED: Use `semmle.python.dataflow.new.TypeTracking` instead. - * - * A summary of the steps needed to track a value to a given dataflow node. - * - * This can be used to track objects that implement a certain API in order to - * recognize calls to that API. Note that type-tracking does not by itself provide a - * source/sink relation, that is, it may determine that a node has a given type, - * but it won't determine where that type came from. - * - * It is recommended that all uses of this type are written in the following form, - * for tracking some type `myType`: - * ```ql - * DataFlow::TypeTrackingNode myType(DataFlow::TypeTracker t) { - * t.start() and - * result = < source of myType > - * or - * exists (DataFlow::TypeTracker t2 | - * result = myType(t2).track(t2, t) - * ) - * } - * - * DataFlow::Node myType() { myType(DataFlow::TypeTracker::end()).flowsTo(result) } - * ``` - * - * Instead of `result = myType(t2).track(t2, t)`, you can also use the equivalent - * `t = t2.step(myType(t2), result)`. If you additionally want to track individual - * intra-procedural steps, use `t = t2.smallstep(myCallback(t2), result)`. - */ -deprecated class TypeTracker extends TTypeTracker { - Boolean hasCall; - OptionalTypeTrackerContent content; - - TypeTracker() { this = MkTypeTracker(hasCall, content) } - - /** Gets the summary resulting from appending `step` to this type-tracking summary. */ - TypeTracker append(StepSummary step) { result = append(this, step) } - - /** Gets a textual representation of this summary. */ - string toString() { - exists(string withCall, string withContent | - (if hasCall = true then withCall = "with" else withCall = "without") and - ( - if content != noContent() - then withContent = " with content " + content - else withContent = "" - ) and - result = "type tracker " + withCall + " call steps" + withContent - ) - } - - /** - * Holds if this is the starting point of type tracking. - */ - predicate start() { hasCall = false and content = noContent() } - - /** - * Holds if this is the starting point of type tracking, and the value starts in the content named `contentName`. - * The type tracking only ends after the content has been loaded. - */ - predicate startInContent(TypeTrackerContent contentName) { - hasCall = false and content = contentName - } - - /** - * Holds if this is the starting point of type tracking - * when tracking a parameter into a call, but not out of it. - */ - predicate call() { hasCall = true and content = noContent() } - - /** - * Holds if this is the end point of type tracking. - */ - predicate end() { content = noContent() } - - /** - * INTERNAL. DO NOT USE. - * - * Holds if this type has been tracked into a call. - */ - boolean hasCall() { result = hasCall } - - /** - * INTERNAL. DO NOT USE. - * - * Gets the content associated with this type tracker. - */ - OptionalTypeTrackerContent getContent() { result = content } - - /** - * Gets a type tracker that starts where this one has left off to allow continued - * tracking. - * - * This predicate is only defined if the type is not associated to a piece of content. - */ - TypeTracker continue() { content = noContent() and result = this } - - /** - * Gets the summary that corresponds to having taken a forwards - * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`. - */ - bindingset[nodeFrom, this] - pragma[inline_late] - pragma[noopt] - TypeTracker step(TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo) { - exists(StepSummary summary | - stepProj(nodeFrom, summary) and - result = this.append(summary) and - step(nodeFrom, nodeTo, summary) - ) - } - - bindingset[nodeFrom, this] - pragma[inline_late] - pragma[noopt] - private TypeTracker smallstepNoSimpleLocalFlowStep(Node nodeFrom, Node nodeTo) { - exists(StepSummary summary | - smallstepProj(nodeFrom, summary) and - result = this.append(summary) and - smallstep(nodeFrom, nodeTo, summary) - ) - } - - /** - * Gets the summary that corresponds to having taken a forwards - * local, heap and/or inter-procedural step from `nodeFrom` to `nodeTo`. - * - * Unlike `TypeTracker::step`, this predicate exposes all edges - * in the flow graph, and not just the edges between `Node`s. - * It may therefore be less performant. - * - * Type tracking predicates using small steps typically take the following form: - * ```ql - * DataFlow::Node myType(DataFlow::TypeTracker t) { - * t.start() and - * result = < source of myType > - * or - * exists (DataFlow::TypeTracker t2 | - * t = t2.smallstep(myType(t2), result) - * ) - * } - * - * DataFlow::Node myType() { - * result = myType(DataFlow::TypeTracker::end()) - * } - * ``` - */ - pragma[inline] - TypeTracker smallstep(Node nodeFrom, Node nodeTo) { - result = this.smallstepNoSimpleLocalFlowStep(nodeFrom, nodeTo) - or - simpleLocalFlowStep(nodeFrom, nodeTo) and - result = this - } -} - -/** Provides predicates for implementing custom `TypeTracker`s. */ -deprecated module TypeTracker { - /** - * Gets a valid end point of type tracking. - */ - TypeTracker end() { result.end() } - - /** - * INTERNAL USE ONLY. - * - * Gets a valid end point of type tracking with the call bit set to the given value. - */ - predicate end = Cached::noContentTypeTracker/1; -} - -pragma[nomagic] -deprecated private predicate backStepProj(TypeTrackingNode nodeTo, StepSummary summary) { - step(_, nodeTo, summary) -} - -deprecated private predicate backSmallstepProj(TypeTrackingNode nodeTo, StepSummary summary) { - smallstep(_, nodeTo, summary) -} - -/** - * DEPRECATED: Use `semmle.python.dataflow.new.TypeTracking` instead. - * - * A summary of the steps needed to back-track a use of a value to a given dataflow node. - * - * This can for example be used to track callbacks that are passed to a certain API, - * so we can model specific parameters of that callback as having a certain type. - * - * Note that type back-tracking does not provide a source/sink relation, that is, - * it may determine that a node will be used in an API call somewhere, but it won't - * determine exactly where that use was, or the path that led to the use. - * - * It is recommended that all uses of this type are written in the following form, - * for back-tracking some callback type `myCallback`: - * - * ```ql - * DataFlow::TypeTrackingNode myCallback(DataFlow::TypeBackTracker t) { - * t.start() and - * result = (< some API call >).getArgument(< n >).getALocalSource() - * or - * exists (DataFlow::TypeBackTracker t2 | - * result = myCallback(t2).backtrack(t2, t) - * ) - * } - * - * DataFlow::TypeTrackingNode myCallback() { result = myCallback(DataFlow::TypeBackTracker::end()) } - * ``` - * - * Instead of `result = myCallback(t2).backtrack(t2, t)`, you can also use the equivalent - * `t2 = t.step(result, myCallback(t2))`. If you additionally want to track individual - * intra-procedural steps, use `t2 = t.smallstep(result, myCallback(t2))`. - */ -deprecated class TypeBackTracker extends TTypeBackTracker { - Boolean hasReturn; - OptionalTypeTrackerContent content; - - TypeBackTracker() { this = MkTypeBackTracker(hasReturn, content) } - - /** Gets the summary resulting from prepending `step` to this type-tracking summary. */ - TypeBackTracker prepend(StepSummary step) { result = prepend(this, step) } - - /** Gets a textual representation of this summary. */ - string toString() { - exists(string withReturn, string withContent | - (if hasReturn = true then withReturn = "with" else withReturn = "without") and - ( - if content != noContent() - then withContent = " with content " + content - else withContent = "" - ) and - result = "type back-tracker " + withReturn + " return steps" + withContent - ) - } - - /** - * Holds if this is the starting point of type tracking. - */ - predicate start() { hasReturn = false and content = noContent() } - - /** - * Holds if this is the end point of type tracking. - */ - predicate end() { content = noContent() } - - /** - * INTERNAL. DO NOT USE. - * - * Holds if this type has been back-tracked into a call through return edge. - */ - boolean hasReturn() { result = hasReturn } - - /** - * Gets a type tracker that starts where this one has left off to allow continued - * tracking. - * - * This predicate is only defined if the type has not been tracked into a piece of content. - */ - TypeBackTracker continue() { content = noContent() and result = this } - - /** - * Gets the summary that corresponds to having taken a backwards - * heap and/or inter-procedural step from `nodeTo` to `nodeFrom`. - */ - bindingset[nodeTo, result] - pragma[inline_late] - pragma[noopt] - TypeBackTracker step(TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo) { - exists(StepSummary summary | - backStepProj(nodeTo, summary) and - this = result.prepend(summary) and - step(nodeFrom, nodeTo, summary) - ) - } - - bindingset[nodeTo, result] - pragma[inline_late] - pragma[noopt] - private TypeBackTracker smallstepNoSimpleLocalFlowStep(Node nodeFrom, Node nodeTo) { - exists(StepSummary summary | - backSmallstepProj(nodeTo, summary) and - this = result.prepend(summary) and - smallstep(nodeFrom, nodeTo, summary) - ) - } - - /** - * Gets the summary that corresponds to having taken a backwards - * local, heap and/or inter-procedural step from `nodeTo` to `nodeFrom`. - * - * Unlike `TypeBackTracker::step`, this predicate exposes all edges - * in the flowgraph, and not just the edges between - * `TypeTrackingNode`s. It may therefore be less performant. - * - * Type tracking predicates using small steps typically take the following form: - * ```ql - * DataFlow::Node myType(DataFlow::TypeBackTracker t) { - * t.start() and - * result = < some API call >.getArgument(< n >) - * or - * exists (DataFlow::TypeBackTracker t2 | - * t = t2.smallstep(result, myType(t2)) - * ) - * } - * - * DataFlow::Node myType() { - * result = myType(DataFlow::TypeBackTracker::end()) - * } - * ``` - */ - pragma[inline] - TypeBackTracker smallstep(Node nodeFrom, Node nodeTo) { - this = this.smallstepNoSimpleLocalFlowStep(nodeFrom, nodeTo) - or - simpleLocalFlowStep(nodeFrom, nodeTo) and - this = result - } - - /** - * Gets a forwards summary that is compatible with this backwards summary. - * That is, if this summary describes the steps needed to back-track a value - * from `sink` to `mid`, and the result is a valid summary of the steps needed - * to track a value from `source` to `mid`, then the value from `source` may - * also flow to `sink`. - */ - TypeTracker getACompatibleTypeTracker() { - exists(boolean hasCall, OptionalTypeTrackerContent c | - result = MkTypeTracker(hasCall, c) and - ( - compatibleContents(c, content) - or - content = noContent() and c = content - ) - | - hasCall = false - or - this.hasReturn() = false - ) - } -} - -/** Provides predicates for implementing custom `TypeBackTracker`s. */ -deprecated module TypeBackTracker { - /** - * Gets a valid end point of type back-tracking. - */ - TypeBackTracker end() { result.end() } -} - -/** - * INTERNAL: Do not use. - * - * Provides logic for constructing a call graph in mutual recursion with type tracking. - * - * When type tracking is used to construct a call graph, we cannot use the join-order - * from `stepInlineLate`, because `step` becomes a recursive call, which means that we - * will have a conjunct with 3 recursive calls: the call to `step`, the call to `stepProj`, - * and the recursive type tracking call itself. The solution is to split the three-way - * non-linear recursion into two non-linear predicates: one that first joins with the - * projected `stepCall` relation, followed by a predicate that joins with the full - * `stepCall` relation (`stepNoCall` not being recursive, can be join-ordered in the - * same way as in `stepInlineLate`). - */ -deprecated module CallGraphConstruction { - /** The input to call graph construction. */ - signature module InputSig { - /** A state to track during type tracking. */ - class State; - - /** Holds if type tracking should start at `start` in state `state`. */ - deprecated predicate start(Node start, State state); - - /** - * Holds if type tracking should use the step from `nodeFrom` to `nodeTo`, - * which _does not_ depend on the call graph. - * - * Implementing this predicate using `StepSummary::[small]stepNoCall` yields - * standard type tracking. - */ - deprecated predicate stepNoCall(Node nodeFrom, Node nodeTo, StepSummary summary); - - /** - * Holds if type tracking should use the step from `nodeFrom` to `nodeTo`, - * which _does_ depend on the call graph. - * - * Implementing this predicate using `StepSummary::[small]stepCall` yields - * standard type tracking. - */ - deprecated predicate stepCall(Node nodeFrom, Node nodeTo, StepSummary summary); - - /** A projection of an element from the state space. */ - class StateProj; - - /** Gets the projection of `state`. */ - StateProj stateProj(State state); - - /** Holds if type tracking should stop at `n` when we are tracking projected state `stateProj`. */ - deprecated predicate filter(Node n, StateProj stateProj); - } - - /** Provides the `track` predicate for use in call graph construction. */ - module Make { - pragma[nomagic] - deprecated private predicate stepNoCallProj(Node nodeFrom, StepSummary summary) { - Input::stepNoCall(nodeFrom, _, summary) - } - - pragma[nomagic] - deprecated private predicate stepCallProj(Node nodeFrom, StepSummary summary) { - Input::stepCall(nodeFrom, _, summary) - } - - bindingset[nodeFrom, t] - pragma[inline_late] - pragma[noopt] - deprecated private TypeTracker stepNoCallInlineLate( - TypeTracker t, TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo - ) { - exists(StepSummary summary | - stepNoCallProj(nodeFrom, summary) and - result = t.append(summary) and - Input::stepNoCall(nodeFrom, nodeTo, summary) - ) - } - - bindingset[state] - pragma[inline_late] - private Input::StateProj stateProjInlineLate(Input::State state) { - result = Input::stateProj(state) - } - - pragma[nomagic] - deprecated private Node track(Input::State state, TypeTracker t) { - t.start() and Input::start(result, state) - or - exists(Input::StateProj stateProj | - stateProj = stateProjInlineLate(state) and - not Input::filter(result, stateProj) - | - exists(TypeTracker t2 | t = stepNoCallInlineLate(t2, track(state, t2), result)) - or - exists(StepSummary summary | - // non-linear recursion - Input::stepCall(trackCall(state, t, summary), result, summary) - ) - ) - } - - bindingset[t, summary] - pragma[inline_late] - deprecated private TypeTracker appendInlineLate(TypeTracker t, StepSummary summary) { - result = t.append(summary) - } - - pragma[nomagic] - deprecated private Node trackCall(Input::State state, TypeTracker t, StepSummary summary) { - exists(TypeTracker t2 | - // non-linear recursion - result = track(state, t2) and - stepCallProj(result, summary) and - t = appendInlineLate(t2, summary) - ) - } - - /** Gets a node that can be reached from _some_ start node in state `state`. */ - pragma[nomagic] - deprecated Node track(Input::State state) { result = track(state, TypeTracker::end()) } - } - - /** A simple version of `CallGraphConstruction` that uses standard type tracking. */ - module Simple { - /** The input to call graph construction. */ - signature module InputSig { - /** A state to track during type tracking. */ - class State; - - /** Holds if type tracking should start at `start` in state `state`. */ - deprecated predicate start(Node start, State state); - - /** Holds if type tracking should stop at `n`. */ - deprecated predicate filter(Node n); - } - - /** Provides the `track` predicate for use in call graph construction. */ - module Make { - deprecated private module I implements CallGraphConstruction::InputSig { - private import codeql.util.Unit - - class State = Input::State; - - predicate start(Node start, State state) { Input::start(start, state) } - - predicate stepNoCall(Node nodeFrom, Node nodeTo, StepSummary summary) { - StepSummary::stepNoCall(nodeFrom, nodeTo, summary) - } - - predicate stepCall(Node nodeFrom, Node nodeTo, StepSummary summary) { - StepSummary::stepCall(nodeFrom, nodeTo, summary) - } - - class StateProj = Unit; - - Unit stateProj(State state) { exists(state) and exists(result) } - - predicate filter(Node n, Unit u) { - Input::filter(n) and - exists(u) - } - } - - deprecated import CallGraphConstruction::Make - } - } -} diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll index 11cce1446f75..f1b04c779708 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll @@ -6,50 +6,11 @@ private import python private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic private import TypeTrackingImpl as TypeTrackingImpl -deprecated class Node = DataFlowPublic::Node; - -deprecated class TypeTrackingNode = DataFlowPublic::TypeTrackingNode; - -/** A content name for use by type trackers, or the empty string. */ -deprecated class OptionalTypeTrackerContent extends string { - OptionalTypeTrackerContent() { - this = "" - or - this = any(DataFlowPublic::AttributeContent dfc).getAttribute() - } -} - -/** A content name for use by type trackers. */ -deprecated class TypeTrackerContent extends OptionalTypeTrackerContent { - TypeTrackerContent() { this != "" } -} - -/** Gets the content string representing no value. */ -deprecated OptionalTypeTrackerContent noContent() { result = "" } - -/** - * A label to use for `WithContent` and `WithoutContent` steps, restricting - * which `ContentSet` may pass through. Not currently used in Python. - */ -deprecated class ContentFilter extends Unit { - TypeTrackerContent getAMatchingContent() { none() } -} - -pragma[inline] -deprecated predicate compatibleContents( - TypeTrackerContent storeContent, TypeTrackerContent loadContent -) { - storeContent = loadContent -} - deprecated predicate simpleLocalFlowStep = TypeTrackingImpl::TypeTrackingInput::simpleLocalSmallStep/2; deprecated predicate jumpStep = TypeTrackingImpl::TypeTrackingInput::jumpStep/2; -/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which may depend on the call graph. */ -deprecated predicate levelStepCall(Node nodeFrom, Node nodeTo) { none() } - /** Holds if there is a level step from `nodeFrom` to `nodeTo`, which does not depend on the call graph. */ deprecated predicate levelStepNoCall = TypeTrackingImpl::TypeTrackingInput::levelStepNoCall/2; @@ -79,24 +40,3 @@ deprecated predicate basicLoadStep = TypeTrackingImpl::TypeTrackingInput::loadSt * Holds if the `loadContent` of `nodeFrom` is stored in the `storeContent` of `nodeTo`. */ deprecated predicate basicLoadStoreStep = TypeTrackingImpl::TypeTrackingInput::loadStoreStep/4; - -/** - * Holds if type-tracking should step from `nodeFrom` to `nodeTo` but block flow of contents matched by `filter` through here. - */ -deprecated predicate basicWithoutContentStep(Node nodeFrom, Node nodeTo, ContentFilter filter) { - none() -} - -/** - * Holds if type-tracking should step from `nodeFrom` to `nodeTo` if inside a content matched by `filter`. - */ -deprecated predicate basicWithContentStep(Node nodeFrom, Node nodeTo, ContentFilter filter) { - none() -} - -/** - * A utility class that is equivalent to `boolean` but does not require type joining. - */ -deprecated class Boolean extends boolean { - Boolean() { this = true or this = false } -} diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll index 201354216004..4ad671bb19aa 100644 --- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll +++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll @@ -1781,15 +1781,6 @@ module StdlibPrivate { * See https://docs.python.org/3/library/cgi.html. */ module FieldStorage { - /** - * DEPRECATED: Use `subclassRef` predicate instead. - * - * Gets a reference to the `cgi.FieldStorage` class. - */ - deprecated API::Node classRef() { - result = API::moduleImport("cgi").getMember("FieldStorage") - } - /** Gets a reference to the `cgi.FieldStorage` class or any subclass. */ API::Node subclassRef() { result = API::moduleImport("cgi").getMember("FieldStorage").getASubclass*() @@ -1900,168 +1891,15 @@ module StdlibPrivate { // --------------------------------------------------------------------------- // BaseHTTPServer (Python 2 only) // --------------------------------------------------------------------------- - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Gets a reference to the `BaseHttpServer` module. - */ - deprecated API::Node baseHttpServer() { result = API::moduleImport("BaseHTTPServer") } - - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Provides models for the `BaseHttpServer` module. - */ - deprecated module BaseHttpServer { - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Provides models for the `BaseHTTPServer.BaseHTTPRequestHandler` class (Python 2 only). - */ - deprecated module BaseHttpRequestHandler { - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Gets a reference to the `BaseHttpServer.BaseHttpRequestHandler` class. - */ - deprecated API::Node classRef() { - result = baseHttpServer().getMember("BaseHTTPRequestHandler") - } - } - } - // --------------------------------------------------------------------------- // SimpleHTTPServer (Python 2 only) // --------------------------------------------------------------------------- - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Gets a reference to the `SimpleHttpServer` module. - */ - deprecated API::Node simpleHttpServer() { result = API::moduleImport("SimpleHTTPServer") } - - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Provides models for the `SimpleHttpServer` module. - */ - deprecated module SimpleHttpServer { - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Provides models for the `SimpleHTTPServer.SimpleHTTPRequestHandler` class (Python 2 only). - */ - deprecated module SimpleHttpRequestHandler { - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Gets a reference to the `SimpleHttpServer.SimpleHttpRequestHandler` class. - */ - deprecated API::Node classRef() { - result = simpleHttpServer().getMember("SimpleHTTPRequestHandler") - } - } - } - // --------------------------------------------------------------------------- // CGIHTTPServer (Python 2 only) // --------------------------------------------------------------------------- - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Gets a reference to the `CGIHTTPServer` module. - */ - deprecated API::Node cgiHttpServer() { result = API::moduleImport("CGIHTTPServer") } - - /** Provides models for the `CGIHTTPServer` module. */ - deprecated module CgiHttpServer { - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Provides models for the `CGIHTTPServer.CGIHTTPRequestHandler` class (Python 2 only). - */ - deprecated module CgiHttpRequestHandler { - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Gets a reference to the `CGIHTTPServer.CgiHttpRequestHandler` class. - */ - deprecated API::Node classRef() { - result = cgiHttpServer().getMember("CGIHTTPRequestHandler") - } - } - } - // --------------------------------------------------------------------------- // http (Python 3 only) // --------------------------------------------------------------------------- - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Gets a reference to the `http` module. - */ - deprecated API::Node http() { result = API::moduleImport("http") } - - /** Provides models for the `http` module. */ - deprecated module StdlibHttp { - // ------------------------------------------------------------------------- - // http.server - // ------------------------------------------------------------------------- - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Gets a reference to the `http.server` module. - */ - deprecated API::Node server() { result = http().getMember("server") } - - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Provides models for the `http.server` module - */ - deprecated module Server { - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Provides models for the `http.server.BaseHTTPRequestHandler` class (Python 3 only). - * - * See https://docs.python.org/3.9/library/http.server.html#http.server.BaseHTTPRequestHandler. - */ - deprecated module BaseHttpRequestHandler { - /** Gets a reference to the `http.server.BaseHttpRequestHandler` class. */ - deprecated API::Node classRef() { result = server().getMember("BaseHTTPRequestHandler") } - } - - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Provides models for the `http.server.SimpleHTTPRequestHandler` class (Python 3 only). - * - * See https://docs.python.org/3.9/library/http.server.html#http.server.SimpleHTTPRequestHandler. - */ - deprecated module SimpleHttpRequestHandler { - /** Gets a reference to the `http.server.SimpleHttpRequestHandler` class. */ - deprecated API::Node classRef() { result = server().getMember("SimpleHTTPRequestHandler") } - } - - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Provides models for the `http.server.CGIHTTPRequestHandler` class (Python 3 only). - * - * See https://docs.python.org/3.9/library/http.server.html#http.server.CGIHTTPRequestHandler. - */ - deprecated module CgiHttpRequestHandler { - /** - * DEPRECATED: Use API-graphs directly instead. - * - * Gets a reference to the `http.server.CGIHTTPRequestHandler` class. - */ - deprecated API::Node classRef() { result = server().getMember("CGIHTTPRequestHandler") } - } - } - } - /** * Provides models for the `BaseHTTPRequestHandler` class and subclasses. * diff --git a/ruby/ql/lib/codeql/ruby/ApiGraphs.qll b/ruby/ql/lib/codeql/ruby/ApiGraphs.qll index cc887a9a05c7..00537e375b1b 100644 --- a/ruby/ql/lib/codeql/ruby/ApiGraphs.qll +++ b/ruby/ql/lib/codeql/ruby/ApiGraphs.qll @@ -264,12 +264,6 @@ module API { pragma[inline_late] DataFlow::CallNode asCall() { this = Impl::MkMethodAccessNode(result) } - /** - * DEPRECATED. Use `asCall()` instead. - */ - pragma[inline] - deprecated DataFlow::CallNode getCallNode() { this = Impl::MkMethodAccessNode(result) } - /** * Gets a module or class that descends from the module or class referenced by this API node. */ @@ -607,104 +601,10 @@ module API { */ string toString() { none() } - /** - * Gets a node representing a (direct or indirect) subclass of the class represented by this node. - * ```rb - * class A; end - * class B < A; end - * class C < B; end - * ``` - * In the example above, `getMember("A").getASubclass()` will return uses of `A`, `B` and `C`. - */ - pragma[inline] - deprecated Node getASubclass() { result = this } - - /** - * Gets a node representing a direct subclass of the class represented by this node. - * ```rb - * class A; end - * class B < A; end - * class C < B; end - * ``` - * In the example above, `getMember("A").getAnImmediateSubclass()` will return uses of `B` only. - */ - pragma[inline] - deprecated Node getAnImmediateSubclass() { - result = this.asModule().getAnImmediateDescendent().trackModule() - } - - /** DEPRECATED. This predicate has been renamed to `getAValueReachableFromSource()`. */ - deprecated DataFlow::Node getAUse() { result = this.getAValueReachableFromSource() } - - /** DEPRECATED. This predicate has been renamed to `asSource()`. */ - deprecated DataFlow::LocalSourceNode getAnImmediateUse() { result = this.asSource() } - - /** DEPRECATED. This predicate has been renamed to `asSink()`. */ - deprecated DataFlow::Node getARhs() { result = this.asSink() } - - /** DEPRECATED. This predicate has been renamed to `getAValueReachingSink()`. */ - deprecated DataFlow::Node getAValueReachingRhs() { result = this.getAValueReachingSink() } - - /** - * DEPRECATED. API graph nodes are no longer associated with specific paths. - * - * Gets a string representation of the lexicographically least among all shortest access paths - * from the root to this node. - */ - deprecated string getPath() { none() } - - /** - * DEPRECATED. Use label-specific predicates in this class, such as `getMember`, instead of using `getASuccessor`. - * - * Gets a node such that there is an edge in the API graph between this node and the other - * one, and that edge is labeled with `lbl`. - */ - pragma[inline] - deprecated Node getASuccessor(Label::ApiLabel lbl) { - labelledEdge(this.getAnEpsilonSuccessor(), lbl, result) - } - - /** - * DEPRECATED. API graphs no longer support backward traversal of edges. If possible use `.backtrack()` to get - * a node intended for backtracking. - * - * Gets a node such that there is an edge in the API graph between that other node and - * this one, and that edge is labeled with `lbl` - */ - deprecated Node getAPredecessor(Label::ApiLabel lbl) { this = result.getASuccessor(lbl) } - - /** - * DEPRECATED. API graphs no longer support backward traversal of edges. If possible use `.backtrack()` to get - * a node intended for backtracking. - * - * Gets a node such that there is an edge in the API graph between this node and the other - * one. - */ - deprecated Node getAPredecessor() { result = this.getAPredecessor(_) } - - /** - * Gets a node such that there is an edge in the API graph between that other node and - * this one. - */ - pragma[inline] - deprecated Node getASuccessor() { result = this.getASuccessor(_) } - - /** DEPRECATED. API graphs are no longer associated with a depth. */ - deprecated int getDepth() { none() } - pragma[inline] private Node getAnEpsilonSuccessor() { result = getAnEpsilonSuccessorInline(this) } } - /** DEPRECATED. Use `API::root()` to access the root node. */ - deprecated class Root = RootNode; - - /** DEPRECATED. A node corresponding to the use of an API component. */ - deprecated class Use = ForwardNode; - - /** DEPRECATED. A node corresponding to a value escaping into an API component. */ - deprecated class Def = SinkNode; - /** The root node of an API graph. */ private class RootNode extends Node, Impl::MkRoot { override string toString() { result = "Root()" } @@ -1327,270 +1227,4 @@ module API { node = MkMethodAccessNode(entry.getACall()) } } - - /** - * Holds if there is an edge from `pred` to `succ` in the API graph that is labeled with `lbl`. - */ - pragma[nomagic] - deprecated private predicate labelledEdge(Node pred, Label::ApiLabel lbl, Node succ) { - exists(string name | - Impl::memberEdge(pred, name, succ) and - lbl = Label::member(name) - ) - or - exists(string name | - Impl::methodEdge(pred, name, succ) and - lbl = Label::method(name) - ) - or - exists(DataFlow::Content content | - Impl::contentEdge(pred, content, succ) and - lbl = Label::content(content) - ) - or - exists(DataFlowDispatch::ParameterPosition pos | - Impl::parameterEdge(pred, pos, succ) and - lbl = Label::getLabelFromParameterPosition(pos) - ) - or - exists(DataFlowDispatch::ArgumentPosition pos | - Impl::argumentEdge(pred, pos, succ) and - lbl = Label::getLabelFromArgumentPosition(pos) - ) - or - Impl::instanceEdge(pred, succ) and - lbl = Label::instance() - or - Impl::returnEdge(pred, succ) and - lbl = Label::return() - or - exists(EntryPoint entry | - Impl::entryPointEdge(entry, succ) and - pred = root() and - lbl = Label::entryPoint(entry) - ) - } - - /** - * DEPRECATED. Treating the API graph as an explicit labelled graph is deprecated - instead use the methods on `API:Node` directly. - * - * Provides classes modeling the various edges (labels) in the API graph. - */ - deprecated module Label { - /** All the possible labels in the API graph. */ - private newtype TLabel = - MkLabelMember(string member) { member = any(ConstantReadAccess a).getName() } or - MkLabelMethod(string m) { m = any(DataFlow::CallNode c).getMethodName() } or - MkLabelReturn() or - MkLabelInstance() or - MkLabelKeywordParameter(string name) { - any(DataFlowDispatch::ArgumentPosition arg).isKeyword(name) - or - any(DataFlowDispatch::ParameterPosition arg).isKeyword(name) - } or - MkLabelParameter(int n) { - any(DataFlowDispatch::ArgumentPosition c).isPositional(n) - or - any(DataFlowDispatch::ParameterPosition c).isPositional(n) - } or - MkLabelBlockParameter() or - MkLabelEntryPoint(EntryPoint name) or - MkLabelContent(DataFlow::Content content) - - /** A label in the API-graph */ - class ApiLabel extends TLabel { - /** Gets a string representation of this label. */ - string toString() { result = "???" } - } - - private import LabelImpl - - private module LabelImpl { - private import Impl - - /** A label for a member, for example a constant. */ - class LabelMember extends ApiLabel, MkLabelMember { - private string member; - - LabelMember() { this = MkLabelMember(member) } - - /** Gets the member name associated with this label. */ - string getMember() { result = member } - - override string toString() { result = "getMember(\"" + member + "\")" } - } - - /** A label for a method. */ - class LabelMethod extends ApiLabel, MkLabelMethod { - private string method; - - LabelMethod() { this = MkLabelMethod(method) } - - /** Gets the method name associated with this label. */ - string getMethod() { result = method } - - override string toString() { result = "getMethod(\"" + method + "\")" } - } - - /** A label for the return value of a method. */ - class LabelReturn extends ApiLabel, MkLabelReturn { - override string toString() { result = "getReturn()" } - } - - /** A label for getting instances of a module/class. */ - class LabelInstance extends ApiLabel, MkLabelInstance { - override string toString() { result = "getInstance()" } - } - - /** A label for a keyword parameter. */ - class LabelKeywordParameter extends ApiLabel, MkLabelKeywordParameter { - private string name; - - LabelKeywordParameter() { this = MkLabelKeywordParameter(name) } - - /** Gets the name of the keyword parameter associated with this label. */ - string getName() { result = name } - - override string toString() { result = "getKeywordParameter(\"" + name + "\")" } - } - - /** A label for a parameter. */ - class LabelParameter extends ApiLabel, MkLabelParameter { - private int n; - - LabelParameter() { this = MkLabelParameter(n) } - - /** Gets the parameter number associated with this label. */ - int getIndex() { result = n } - - override string toString() { result = "getParameter(" + n + ")" } - } - - /** A label for a block parameter. */ - class LabelBlockParameter extends ApiLabel, MkLabelBlockParameter { - override string toString() { result = "getBlock()" } - } - - /** A label from the root node to a custom entry point. */ - class LabelEntryPoint extends ApiLabel, MkLabelEntryPoint { - private API::EntryPoint name; - - LabelEntryPoint() { this = MkLabelEntryPoint(name) } - - override string toString() { result = "entryPoint(\"" + name + "\")" } - - /** Gets the name of the entry point. */ - API::EntryPoint getName() { result = name } - } - - /** A label representing contents of an object. */ - class LabelContent extends ApiLabel, MkLabelContent { - private DataFlow::Content content; - - LabelContent() { this = MkLabelContent(content) } - - override string toString() { - result = "getContent(" + content.toString().replaceAll(" ", "_") + ")" - } - - /** Gets the content represented by this label. */ - DataFlow::Content getContent() { result = content } - } - } - - /** Gets the `member` edge label for member `m`. */ - LabelMember member(string m) { result.getMember() = m } - - /** Gets the `method` edge label. */ - LabelMethod method(string m) { result.getMethod() = m } - - /** Gets the `return` edge label. */ - LabelReturn return() { any() } - - /** Gets the `instance` edge label. */ - LabelInstance instance() { any() } - - /** Gets the label representing the given keyword argument/parameter. */ - LabelKeywordParameter keywordParameter(string name) { result.getName() = name } - - /** Gets the label representing the `n`th positional argument/parameter. */ - LabelParameter parameter(int n) { result.getIndex() = n } - - /** Gets the label representing the block argument/parameter. */ - LabelBlockParameter blockParameter() { any() } - - /** Gets the label for the edge from the root node to a custom entry point of the given name. */ - LabelEntryPoint entryPoint(API::EntryPoint name) { result.getName() = name } - - /** Gets a label representing the given content. */ - LabelContent content(DataFlow::Content content) { result.getContent() = content } - - /** Gets the API graph label corresponding to the given argument position. */ - Label::ApiLabel getLabelFromArgumentPosition(DataFlowDispatch::ArgumentPosition pos) { - exists(int n | - pos.isPositional(n) and - result = Label::parameter(n) - ) - or - exists(string name | - pos.isKeyword(name) and - result = Label::keywordParameter(name) - ) - or - pos.isBlock() and - result = Label::blockParameter() - or - pos.isAny() and - ( - result = Label::parameter(_) - or - result = Label::keywordParameter(_) - or - result = Label::blockParameter() - // NOTE: `self` should NOT be included, as described in the QLDoc for `isAny()` - ) - or - pos.isAnyNamed() and - result = Label::keywordParameter(_) - // - // Note: there is currently no API graph label for `self`. - // It was omitted since in practice it means going back to where you came from. - // For example, `base.getMethod("foo").getSelf()` would just be `base`. - // However, it's possible we'll need it later, for identifying `self` parameters or post-update nodes. - } - - /** Gets the API graph label corresponding to the given parameter position. */ - Label::ApiLabel getLabelFromParameterPosition(DataFlowDispatch::ParameterPosition pos) { - exists(int n | - pos.isPositional(n) and - result = Label::parameter(n) - ) - or - exists(string name | - pos.isKeyword(name) and - result = Label::keywordParameter(name) - ) - or - pos.isBlock() and - result = Label::blockParameter() - or - pos.isAny() and - ( - result = Label::parameter(_) - or - result = Label::keywordParameter(_) - or - result = Label::blockParameter() - // NOTE: `self` should NOT be included, as described in the QLDoc for `isAny()` - ) - or - pos.isAnyNamed() and - result = Label::keywordParameter(_) - // - // Note: there is currently no API graph label for `self`. - // It was omitted since in practice it means going back to where you came from. - // For example, `base.getMethod("foo").getSelf()` would just be `base`. - // However, it's possible we'll need it later, for identifying `self` parameters or post-update nodes. - } - } } diff --git a/ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll b/ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll index 01f0f1726d34..c822450bf89c 100644 --- a/ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll +++ b/ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll @@ -200,13 +200,6 @@ module ExprNodes { override LhsExpr getExpr() { result = super.getExpr() } - /** - * DEPRECATED: use `getVariable` instead. - * - * Gets a variable used in (or introduced by) this LHS. - */ - deprecated Variable getAVariable() { result = e.(VariableAccess).getVariable() } - /** Gets the variable used in (or introduced by) this LHS. */ Variable getVariable() { result = e.(VariableAccess).getVariable() } } diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll index 05af2d0c07e1..4c0adc95f25c 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll @@ -635,8 +635,7 @@ private module Cached { } or TElementContentOfTypeContent(string type, Boolean includeUnknown) { type = any(Content::KnownElementContent content).getIndex().getValueType() - } or - deprecated TNoContentSet() // Only used by type-tracking + } cached class TContentSet = diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll index 1172ad8f7330..93e579c585d5 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll @@ -1284,13 +1284,6 @@ class LhsExprNode extends ExprNode { /** Gets the underlying AST node as a `LhsExpr`. */ LhsExpr asLhsExprAstNode() { result = lhsExprCfgNode.getExpr() } - /** - * DEPRECATED: use `getVariable` instead. - * - * Gets a variable used in (or introduced by) this LHS. - */ - deprecated Variable getAVariable() { result = lhsExprCfgNode.getAVariable() } - /** Gets the variable used in (or introduced by) this LHS. */ Variable getVariable() { result = lhsExprCfgNode.getVariable() } } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll index 7348bfc699bb..50f6986f77aa 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll @@ -106,71 +106,10 @@ class ActiveRecordModelClass extends ClassDeclaration { // Gets the class declaration for this class and all of its super classes private ModuleBase getAllClassDeclarations() { result = cls.getAnAncestor().getADeclaration() } - /** - * Gets methods defined in this class that may access a field from the database. - */ - deprecated Method getAPotentialFieldAccessMethod() { - // It's a method on this class or one of its super classes - result = this.getAllClassDeclarations().getAMethod() and - // There is a value that can be returned by this method which may include field data - exists(DataFlow::Node returned, ActiveRecordInstanceMethodCall cNode, MethodCall c | - exprNodeReturnedFrom(returned, result) and - cNode.flowsTo(returned) and - c = cNode.asExpr().getExpr() - | - // The referenced method is not built-in, and... - not isBuiltInMethodForActiveRecordModelInstance(c.getMethodName()) and - ( - // ...The receiver does not have a matching method definition, or... - not exists( - cNode.getInstance().getClass().getAllClassDeclarations().getMethod(c.getMethodName()) - ) - or - // ...the called method can access a field - c.getATarget() = cNode.getInstance().getClass().getAPotentialFieldAccessMethod() - ) - ) - } - /** Gets the class as a `DataFlow::ClassNode`. */ DataFlow::ClassNode getClassNode() { result = cls } } -/** - * Gets a potential reference to an ActiveRecord class object. - */ -deprecated private API::Node getAnActiveRecordModelClassRef() { - result = any(ActiveRecordModelClass cls).getClassNode().trackModule() - or - // For methods with an unknown call target, assume this might be a database field, thus returning another ActiveRecord object. - // In this case we do not know which class it belongs to, which is why this predicate can't associate the reference with a specific class. - result = getAnUnknownActiveRecordModelClassCall().getReturn() -} - -/** - * Gets a call performed on an ActiveRecord class object, without a known call target in the codebase. - */ -deprecated private API::MethodAccessNode getAnUnknownActiveRecordModelClassCall() { - result = getAnActiveRecordModelClassRef().getMethod(_) and - result.asCall().asExpr().getExpr() instanceof UnknownMethodCall -} - -/** - * DEPRECATED. Use `ActiveRecordModelClass.getClassNode().trackModule().getMethod()` instead. - * - * A class method call whose receiver is an `ActiveRecordModelClass`. - */ -deprecated class ActiveRecordModelClassMethodCall extends MethodCall { - ActiveRecordModelClassMethodCall() { - this = getAnUnknownActiveRecordModelClassCall().asCall().asExpr().getExpr() - } - - /** Gets the `ActiveRecordModelClass` of the receiver of this method, if it can be determined. */ - ActiveRecordModelClass getReceiverClass() { - this = result.getClassNode().trackModule().getMethod(_).asCall().asExpr().getExpr() - } -} - private predicate sqlFragmentArgumentInner(DataFlow::CallNode call, DataFlow::Node sink) { call = activeRecordQueryBuilderCall([ @@ -257,39 +196,6 @@ private predicate unsafeSqlExpr(Expr sqlFragmentExpr) { sqlFragmentExpr instanceof MethodCall } -/** - * DEPRECATED. Use the `SqlExecution` concept or `ActiveRecordSqlExecutionRange`. - * - * A method call that may result in executing unintended user-controlled SQL - * queries if the `getSqlFragmentSinkArgument()` expression is tainted by - * unsanitized user-controlled input. For example, supposing that `User` is an - * `ActiveRecord` model class, then - * - * ```rb - * User.where("name = '#{user_name}'") - * ``` - * - * may be unsafe if `user_name` is from unsanitized user input, as a value such - * as `"') OR 1=1 --"` could result in the application looking up all users - * rather than just one with a matching name. - */ -deprecated class PotentiallyUnsafeSqlExecutingMethodCall extends ActiveRecordModelClassMethodCall { - private DataFlow::CallNode call; - - PotentiallyUnsafeSqlExecutingMethodCall() { - call.asExpr().getExpr() = this and sqlFragmentArgument(call, _) - } - - /** - * Gets the SQL fragment argument of this method call. - */ - Expr getSqlFragmentSinkArgument() { - exists(DataFlow::Node sink | - sqlFragmentArgument(call, sink) and result = sink.asExpr().getExpr() - ) - } -} - /** * A SQL execution arising from a call to the ActiveRecord library. */ diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveResource.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveResource.qll index 9f0e0f4b8598..122202c63b78 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/ActiveResource.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/ActiveResource.qll @@ -66,27 +66,6 @@ module ActiveResource { } } - /** DEPRECATED. Use `ModelClassNode` instead. */ - deprecated class ModelClass extends ClassDeclaration { - private ModelClassNode cls; - - ModelClass() { this = cls.getADeclaration() } - - /** Gets the class for which this is a declaration. */ - ModelClassNode getClassNode() { result = cls } - - /** Gets the API node for this class object. */ - deprecated API::Node getModelApiNode() { result = cls.trackModule() } - - /** Gets a call to `site=`, which sets the base URL for this model. */ - SiteAssignCall getASiteAssignment() { result = cls.getASiteAssignment() } - - /** Holds if `c` sets a base URL which does not use HTTPS. */ - predicate disablesCertificateValidation(SiteAssignCall c) { - cls.disablesCertificateValidation(c) - } - } - /** * A call to a class method on an ActiveResource model class. * @@ -169,20 +148,6 @@ module ActiveResource { CustomHttpCall() { this.getMethodName() = ["get", "post", "put", "patch", "delete"] } } - /** - * DEPRECATED. Use `ModelClassNode.getAnInstanceReference()` instead. - * - * An ActiveResource model object. - */ - deprecated class ModelInstance extends DataFlow::Node { - private ModelClassNode cls; - - ModelInstance() { this = cls.getAnInstanceReference().getAValueReachableFromSource() } - - /** Gets the model class for this instance. */ - ModelClassNode getModelClass() { result = cls } - } - /** * A call to a method on an ActiveResource model object. */ @@ -191,22 +156,10 @@ module ActiveResource { ModelInstanceMethodCall() { this = cls.getAnInstanceReference().getAMethodCall(_) } - /** Gets the model instance for this call. */ - deprecated ModelInstance getInstance() { result = this.getReceiver() } - /** Gets the model class for this call. */ ModelClassNode getModelClass() { result = cls } } - /** - * DEPRECATED. Use `CollectionSource` instead. - * - * A data flow node that may refer to a collection of ActiveResource model objects. - */ - deprecated class Collection extends DataFlow::Node { - Collection() { this = any(CollectionSource src).track().getAValueReachableFromSource() } - } - /** * A call that returns a collection of ActiveResource model objects. */ diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Twirp.qll b/ruby/ql/lib/codeql/ruby/frameworks/Twirp.qll index 7b8648bd2b17..483eea7b63c6 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Twirp.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Twirp.qll @@ -13,36 +13,6 @@ private import codeql.ruby.Concepts * Provides classes for modeling the `Twirp` framework. */ module Twirp { - /** - * A Twirp service instantiation - */ - deprecated class ServiceInstantiation extends DataFlow::CallNode { - ServiceInstantiation() { - this = API::getTopLevelMember("Twirp").getMember("Service").getAnInstantiation() - } - - /** - * Gets a handler's method. - */ - DataFlow::MethodNode getAHandlerMethodNode() { - result = this.getArgument(0).backtrack().getMethod(_).asCallable() - } - - /** - * Gets a handler's method as an AST node. - */ - Ast::Method getAHandlerMethod() { result = this.getAHandlerMethodNode().asCallableAstNode() } - } - - /** - * A Twirp client - */ - deprecated class ClientInstantiation extends DataFlow::CallNode { - ClientInstantiation() { - this = API::getTopLevelMember("Twirp").getMember("Client").getAnInstantiation() - } - } - /** The URL of a Twirp service, considered as a sink. */ class ServiceUrlAsSsrfSink extends ServerSideRequestForgery::Sink { ServiceUrlAsSsrfSink() { diff --git a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll index c2d7437c169d..8d801b8548d9 100644 --- a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll @@ -34,9 +34,3 @@ private module InsecureDownloadConfig implements DataFlow::StateConfigSig { * Taint-tracking for download of sensitive file through insecure connection. */ module InsecureDownloadFlow = DataFlow::GlobalWithState; - -/** DEPRECATED: Use `InsecureDownloadConfig` */ -deprecated module Config = InsecureDownloadConfig; - -/** DEPRECATED: Use `InsecureDownloadFlow` */ -deprecated module Flow = InsecureDownloadFlow; diff --git a/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll index 770357c2d1b5..e9909d219ffe 100644 --- a/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll @@ -7,15 +7,6 @@ private import codeql.ruby.DataFlow private import codeql.ruby.TaintTracking private import LdapInjectionCustomizations::LdapInjection as LI -/** - * Provides a taint-tracking configuration for detecting LDAP Injections vulnerabilities. - * DEPRECATED: Use `LdapInjectionFlow` instead - */ -deprecated module LdapInjection { - import LdapInjectionCustomizations::LdapInjection - import TaintTracking::Global -} - private module LdapInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof LI::Source } diff --git a/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll b/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll index c9b383aa3bae..927c46ede6bd 100644 --- a/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll @@ -11,15 +11,6 @@ import codeql.ruby.AST import codeql.ruby.DataFlow import codeql.ruby.TaintTracking -/** - * Provides a taint-tracking configuration for cross-site scripting vulnerabilities. - * DEPRECATED: Use StoredXssFlow - */ -deprecated module StoredXss { - import XSS::StoredXss - import TaintTracking::Global -} - private module StoredXssConfig implements DataFlow::ConfigSig { private import XSS::StoredXss diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll index 746a380e62cf..4d4cf19be12b 100644 --- a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll +++ b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll @@ -43,8 +43,6 @@ module UnsafeCodeConstruction { result = getANodeExecutedAsCode(TypeBackTracker::end(), codeExec) } - deprecated import codeql.ruby.typetracking.TypeTracker as TypeTracker - /** Gets a node that is eventually executed as code at `codeExec`, type-tracked with `t`. */ private DataFlow::LocalSourceNode getANodeExecutedAsCode( TypeBackTracker t, Concepts::CodeExecution codeExec diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionCustomizations.qll index be57768c1418..ee00d96b4f34 100644 --- a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionCustomizations.qll +++ b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionCustomizations.qll @@ -48,8 +48,6 @@ module UnsafeShellCommandConstruction { source = backtrackShellExec(TypeBackTracker::end(), shellExec) } - deprecated import codeql.ruby.typetracking.TypeTracker as TypeTracker - private DataFlow::LocalSourceNode backtrackShellExec( TypeBackTracker t, Concepts::SystemCommandExecution shellExec ) { diff --git a/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll index adbff127a8d7..d443f2a39259 100644 --- a/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll @@ -10,14 +10,6 @@ private import codeql.ruby.DataFlow private import codeql.ruby.TaintTracking import XpathInjectionCustomizations::XpathInjection -/** - * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities. - * DEPRECATED: Use `XpathInjectionFlow` - */ -deprecated module XpathInjection { - import TaintTracking::Global -} - private module XpathInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof Source } diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll index cc79cdb26996..c56f7c48468f 100644 --- a/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll +++ b/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll @@ -8,929 +8,6 @@ private import TypeTrackerSpecific private import codeql.util.Boolean cached -private module Cached { - /** - * A description of a step on an inter-procedural data flow path. - */ - cached - deprecated newtype TStepSummary = - LevelStep() or - CallStep() or - ReturnStep() or - deprecated StoreStep(TypeTrackerContent content) { basicStoreStep(_, _, content) } or - deprecated LoadStep(TypeTrackerContent content) { basicLoadStep(_, _, content) } or - deprecated LoadStoreStep(TypeTrackerContent load, TypeTrackerContent store) { - basicLoadStoreStep(_, _, load, store) - } or - deprecated WithContent(ContentFilter filter) { basicWithContentStep(_, _, filter) } or - deprecated WithoutContent(ContentFilter filter) { basicWithoutContentStep(_, _, filter) } or - JumpStep() - - cached - deprecated newtype TTypeTracker = - deprecated MkTypeTracker(Boolean hasCall, OptionalTypeTrackerContent content) { - content = noContent() - or - // Restrict `content` to those that might eventually match a load. - // We can't rely on `basicStoreStep` since `startInContent` might be used with - // a content that has no corresponding store. - exists(TypeTrackerContent loadContents | - ( - basicLoadStep(_, _, loadContents) - or - basicLoadStoreStep(_, _, loadContents, _) - ) and - compatibleContents(content, loadContents) - ) - } - - cached - deprecated newtype TTypeBackTracker = - deprecated MkTypeBackTracker(Boolean hasReturn, OptionalTypeTrackerContent content) { - content = noContent() - or - // As in MkTypeTracker, restrict `content` to those that might eventually match a store. - exists(TypeTrackerContent storeContent | - ( - basicStoreStep(_, _, storeContent) - or - basicLoadStoreStep(_, _, _, storeContent) - ) and - compatibleContents(storeContent, content) - ) - } - - /** Gets a type tracker with no content and the call bit set to the given value. */ - cached - deprecated TypeTracker noContentTypeTracker(boolean hasCall) { - result = MkTypeTracker(hasCall, noContent()) - } - - /** Gets the summary resulting from appending `step` to type-tracking summary `tt`. */ - cached - deprecated TypeTracker append(TypeTracker tt, StepSummary step) { - exists(Boolean hasCall, OptionalTypeTrackerContent currentContents | - tt = MkTypeTracker(hasCall, currentContents) - | - step = LevelStep() and result = tt - or - step = CallStep() and result = MkTypeTracker(true, currentContents) - or - step = ReturnStep() and hasCall = false and result = tt - or - step = JumpStep() and - result = MkTypeTracker(false, currentContents) - or - exists(ContentFilter filter | result = tt | - step = WithContent(filter) and - currentContents = filter.getAMatchingContent() - or - step = WithoutContent(filter) and - not currentContents = filter.getAMatchingContent() - ) - ) - or - exists(TypeTrackerContent storeContents, boolean hasCall | - exists(TypeTrackerContent loadContents | - step = LoadStep(pragma[only_bind_into](loadContents)) and - tt = MkTypeTracker(hasCall, storeContents) and - compatibleContents(storeContents, loadContents) and - result = noContentTypeTracker(hasCall) - ) - or - step = StoreStep(pragma[only_bind_into](storeContents)) and - tt = noContentTypeTracker(hasCall) and - result = MkTypeTracker(hasCall, storeContents) - ) - or - exists( - TypeTrackerContent currentContent, TypeTrackerContent store, TypeTrackerContent load, - boolean hasCall - | - step = LoadStoreStep(pragma[only_bind_into](load), pragma[only_bind_into](store)) and - compatibleContents(pragma[only_bind_into](currentContent), load) and - tt = MkTypeTracker(pragma[only_bind_into](hasCall), currentContent) and - result = MkTypeTracker(pragma[only_bind_out](hasCall), store) - ) - } - - pragma[nomagic] - deprecated private TypeBackTracker noContentTypeBackTracker(boolean hasReturn) { - result = MkTypeBackTracker(hasReturn, noContent()) - } - - /** Gets the summary resulting from prepending `step` to this type-tracking summary. */ - cached - deprecated TypeBackTracker prepend(TypeBackTracker tbt, StepSummary step) { - exists(Boolean hasReturn, OptionalTypeTrackerContent content | - tbt = MkTypeBackTracker(hasReturn, content) - | - step = LevelStep() and result = tbt - or - step = CallStep() and hasReturn = false and result = tbt - or - step = ReturnStep() and result = MkTypeBackTracker(true, content) - or - step = JumpStep() and - result = MkTypeBackTracker(false, content) - or - exists(ContentFilter filter | result = tbt | - step = WithContent(filter) and - content = filter.getAMatchingContent() - or - step = WithoutContent(filter) and - not content = filter.getAMatchingContent() - ) - ) - or - exists(TypeTrackerContent loadContents, boolean hasReturn | - exists(TypeTrackerContent storeContents | - step = StoreStep(pragma[only_bind_into](storeContents)) and - tbt = MkTypeBackTracker(hasReturn, loadContents) and - compatibleContents(storeContents, loadContents) and - result = noContentTypeBackTracker(hasReturn) - ) - or - step = LoadStep(pragma[only_bind_into](loadContents)) and - tbt = noContentTypeBackTracker(hasReturn) and - result = MkTypeBackTracker(hasReturn, loadContents) - ) - or - exists( - TypeTrackerContent currentContent, TypeTrackerContent store, TypeTrackerContent load, - boolean hasCall - | - step = LoadStoreStep(pragma[only_bind_into](load), pragma[only_bind_into](store)) and - compatibleContents(store, pragma[only_bind_into](currentContent)) and - tbt = MkTypeBackTracker(pragma[only_bind_into](hasCall), currentContent) and - result = MkTypeBackTracker(pragma[only_bind_out](hasCall), load) - ) - } - - /** - * Gets the summary that corresponds to having taken a forwards - * heap and/or intra-procedural step from `nodeFrom` to `nodeTo`. - * - * Steps contained in this predicate should _not_ depend on the call graph. - */ - cached - deprecated predicate stepNoCall( - TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo, StepSummary summary - ) { - exists(Node mid | nodeFrom.flowsTo(mid) and smallstepNoCall(mid, nodeTo, summary)) - } - - /** - * Gets the summary that corresponds to having taken a forwards - * inter-procedural step from `nodeFrom` to `nodeTo`. - */ - cached - deprecated predicate stepCall( - TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo, StepSummary summary - ) { - exists(Node mid | nodeFrom.flowsTo(mid) and smallstepCall(mid, nodeTo, summary)) - } - - cached - deprecated predicate smallstepNoCall(Node nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) { - jumpStep(nodeFrom, nodeTo) and - summary = JumpStep() - or - levelStepNoCall(nodeFrom, nodeTo) and - summary = LevelStep() - or - exists(TypeTrackerContent content | - flowsToStoreStep(nodeFrom, nodeTo, content) and - summary = StoreStep(content) - or - basicLoadStep(nodeFrom, nodeTo, content) and summary = LoadStep(content) - ) - or - exists(TypeTrackerContent loadContent, TypeTrackerContent storeContent | - flowsToLoadStoreStep(nodeFrom, nodeTo, loadContent, storeContent) and - summary = LoadStoreStep(loadContent, storeContent) - ) - or - exists(ContentFilter filter | - basicWithContentStep(nodeFrom, nodeTo, filter) and - summary = WithContent(filter) - or - basicWithoutContentStep(nodeFrom, nodeTo, filter) and - summary = WithoutContent(filter) - ) - } - - cached - deprecated predicate smallstepCall(Node nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) { - callStep(nodeFrom, nodeTo) and summary = CallStep() - or - returnStep(nodeFrom, nodeTo) and - summary = ReturnStep() - or - levelStepCall(nodeFrom, nodeTo) and - summary = LevelStep() - } -} +private module Cached { } private import Cached - -deprecated private predicate step( - TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo, StepSummary summary -) { - stepNoCall(nodeFrom, nodeTo, summary) - or - stepCall(nodeFrom, nodeTo, summary) -} - -pragma[nomagic] -deprecated private predicate stepProj(TypeTrackingNode nodeFrom, StepSummary summary) { - step(nodeFrom, _, summary) -} - -deprecated private predicate smallstep(Node nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) { - smallstepNoCall(nodeFrom, nodeTo, summary) - or - smallstepCall(nodeFrom, nodeTo, summary) -} - -pragma[nomagic] -deprecated private predicate smallstepProj(Node nodeFrom, StepSummary summary) { - smallstep(nodeFrom, _, summary) -} - -/** - * Holds if `nodeFrom` is being written to the `content` of the object in `nodeTo`. - * - * Note that `nodeTo` will always be a local source node that flows to the place where the content - * is written in `basicStoreStep`. This may lead to the flow of information going "back in time" - * from the point of view of the execution of the program. - * - * For instance, if we interpret attribute writes in Python as writing to content with the same - * name as the attribute and consider the following snippet - * - * ```python - * def foo(y): - * x = Foo() - * bar(x) - * x.attr = y - * baz(x) - * - * def bar(x): - * z = x.attr - * ``` - * for the attribute write `x.attr = y`, we will have `content` being the literal string `"attr"`, - * `nodeFrom` will be `y`, and `nodeTo` will be the object `Foo()` created on the first line of the - * function. This means we will track the fact that `x.attr` can have the type of `y` into the - * assignment to `z` inside `bar`, even though this attribute write happens _after_ `bar` is called. - */ -deprecated private predicate flowsToStoreStep( - Node nodeFrom, TypeTrackingNode nodeTo, TypeTrackerContent content -) { - exists(Node obj | nodeTo.flowsTo(obj) and basicStoreStep(nodeFrom, obj, content)) -} - -/** - * Holds if `loadContent` is loaded from `nodeFrom` and written to `storeContent` of `nodeTo`. - */ -deprecated private predicate flowsToLoadStoreStep( - Node nodeFrom, TypeTrackingNode nodeTo, TypeTrackerContent loadContent, - TypeTrackerContent storeContent -) { - exists(Node obj | - nodeTo.flowsTo(obj) and basicLoadStoreStep(nodeFrom, obj, loadContent, storeContent) - ) -} - -/** - * INTERNAL: Use `TypeTracker` or `TypeBackTracker` instead. - * - * A description of a step on an inter-procedural data flow path. - */ -deprecated class StepSummary extends TStepSummary { - /** Gets a textual representation of this step summary. */ - string toString() { - this instanceof LevelStep and result = "level" - or - this instanceof CallStep and result = "call" - or - this instanceof ReturnStep and result = "return" - or - exists(TypeTrackerContent content | this = StoreStep(content) | result = "store " + content) - or - exists(TypeTrackerContent content | this = LoadStep(content) | result = "load " + content) - or - exists(TypeTrackerContent load, TypeTrackerContent store | - this = LoadStoreStep(load, store) and - result = "load-store " + load + " -> " + store - ) - or - this instanceof JumpStep and result = "jump" - } -} - -/** Provides predicates for updating step summaries (`StepSummary`s). */ -deprecated module StepSummary { - predicate append = Cached::append/2; - - /** - * Gets the summary that corresponds to having taken a forwards - * inter-procedural step from `nodeFrom` to `nodeTo`. - * - * This predicate should normally not be used; consider using `step` - * instead. - */ - predicate stepCall = Cached::stepCall/3; - - /** - * Gets the summary that corresponds to having taken a forwards - * intra-procedural step from `nodeFrom` to `nodeTo`. - * - * This predicate should normally not be used; consider using `step` - * instead. - */ - predicate stepNoCall = Cached::stepNoCall/3; - - /** - * Gets the summary that corresponds to having taken a forwards - * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`. - */ - predicate step(TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) { - stepNoCall(nodeFrom, nodeTo, summary) - or - stepCall(nodeFrom, nodeTo, summary) - } - - /** - * Gets the summary that corresponds to having taken a forwards - * inter-procedural step from `nodeFrom` to `nodeTo`. - * - * This predicate should normally not be used; consider using `step` - * instead. - */ - predicate smallstepNoCall = Cached::smallstepNoCall/3; - - /** - * Gets the summary that corresponds to having taken a forwards - * intra-procedural step from `nodeFrom` to `nodeTo`. - * - * This predicate should normally not be used; consider using `step` - * instead. - */ - predicate smallstepCall = Cached::smallstepCall/3; - - /** - * Gets the summary that corresponds to having taken a forwards - * local, heap and/or inter-procedural step from `nodeFrom` to `nodeTo`. - * - * Unlike `StepSummary::step`, this predicate does not compress - * type-preserving steps. - */ - predicate smallstep(Node nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) { - smallstepNoCall(nodeFrom, nodeTo, summary) - or - smallstepCall(nodeFrom, nodeTo, summary) - } - - /** Gets the step summary for a level step. */ - StepSummary levelStep() { result = LevelStep() } - - /** Gets the step summary for a call step. */ - StepSummary callStep() { result = CallStep() } - - /** Gets the step summary for a return step. */ - StepSummary returnStep() { result = ReturnStep() } - - /** Gets the step summary for storing into `content`. */ - StepSummary storeStep(TypeTrackerContent content) { result = StoreStep(content) } - - /** Gets the step summary for loading from `content`. */ - StepSummary loadStep(TypeTrackerContent content) { result = LoadStep(content) } - - /** Gets the step summary for loading from `load` and then storing into `store`. */ - StepSummary loadStoreStep(TypeTrackerContent load, TypeTrackerContent store) { - result = LoadStoreStep(load, store) - } - - /** Gets the step summary for a step that only permits contents matched by `filter`. */ - StepSummary withContent(ContentFilter filter) { result = WithContent(filter) } - - /** Gets the step summary for a step that blocks contents matched by `filter`. */ - StepSummary withoutContent(ContentFilter filter) { result = WithoutContent(filter) } - - /** Gets the step summary for a jump step. */ - StepSummary jumpStep() { result = JumpStep() } -} - -/** - * DEPRECATED: Use `codeql.ruby.typetracking.TypeTracking` instead. - * - * A summary of the steps needed to track a value to a given dataflow node. - * - * This can be used to track objects that implement a certain API in order to - * recognize calls to that API. Note that type-tracking does not by itself provide a - * source/sink relation, that is, it may determine that a node has a given type, - * but it won't determine where that type came from. - * - * It is recommended that all uses of this type are written in the following form, - * for tracking some type `myType`: - * ```ql - * DataFlow::TypeTrackingNode myType(DataFlow::TypeTracker t) { - * t.start() and - * result = < source of myType > - * or - * exists (DataFlow::TypeTracker t2 | - * result = myType(t2).track(t2, t) - * ) - * } - * - * DataFlow::Node myType() { myType(DataFlow::TypeTracker::end()).flowsTo(result) } - * ``` - * - * Instead of `result = myType(t2).track(t2, t)`, you can also use the equivalent - * `t = t2.step(myType(t2), result)`. If you additionally want to track individual - * intra-procedural steps, use `t = t2.smallstep(myCallback(t2), result)`. - */ -deprecated class TypeTracker extends TTypeTracker { - Boolean hasCall; - OptionalTypeTrackerContent content; - - TypeTracker() { this = MkTypeTracker(hasCall, content) } - - /** Gets the summary resulting from appending `step` to this type-tracking summary. */ - TypeTracker append(StepSummary step) { result = append(this, step) } - - /** Gets a textual representation of this summary. */ - string toString() { - exists(string withCall, string withContent | - (if hasCall = true then withCall = "with" else withCall = "without") and - ( - if content != noContent() - then withContent = " with content " + content - else withContent = "" - ) and - result = "type tracker " + withCall + " call steps" + withContent - ) - } - - /** - * Holds if this is the starting point of type tracking. - */ - predicate start() { hasCall = false and content = noContent() } - - /** - * Holds if this is the starting point of type tracking, and the value starts in the content named `contentName`. - * The type tracking only ends after the content has been loaded. - */ - predicate startInContent(TypeTrackerContent contentName) { - hasCall = false and content = contentName - } - - /** - * Holds if this is the starting point of type tracking - * when tracking a parameter into a call, but not out of it. - */ - predicate call() { hasCall = true and content = noContent() } - - /** - * Holds if this is the end point of type tracking. - */ - predicate end() { content = noContent() } - - /** - * INTERNAL. DO NOT USE. - * - * Holds if this type has been tracked into a call. - */ - boolean hasCall() { result = hasCall } - - /** - * INTERNAL. DO NOT USE. - * - * Gets the content associated with this type tracker. - */ - OptionalTypeTrackerContent getContent() { result = content } - - /** - * Gets a type tracker that starts where this one has left off to allow continued - * tracking. - * - * This predicate is only defined if the type is not associated to a piece of content. - */ - TypeTracker continue() { content = noContent() and result = this } - - /** - * Gets the summary that corresponds to having taken a forwards - * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`. - */ - bindingset[nodeFrom, this] - pragma[inline_late] - pragma[noopt] - TypeTracker step(TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo) { - exists(StepSummary summary | - stepProj(nodeFrom, summary) and - result = this.append(summary) and - step(nodeFrom, nodeTo, summary) - ) - } - - bindingset[nodeFrom, this] - pragma[inline_late] - pragma[noopt] - private TypeTracker smallstepNoSimpleLocalFlowStep(Node nodeFrom, Node nodeTo) { - exists(StepSummary summary | - smallstepProj(nodeFrom, summary) and - result = this.append(summary) and - smallstep(nodeFrom, nodeTo, summary) - ) - } - - /** - * Gets the summary that corresponds to having taken a forwards - * local, heap and/or inter-procedural step from `nodeFrom` to `nodeTo`. - * - * Unlike `TypeTracker::step`, this predicate exposes all edges - * in the flow graph, and not just the edges between `Node`s. - * It may therefore be less performant. - * - * Type tracking predicates using small steps typically take the following form: - * ```ql - * DataFlow::Node myType(DataFlow::TypeTracker t) { - * t.start() and - * result = < source of myType > - * or - * exists (DataFlow::TypeTracker t2 | - * t = t2.smallstep(myType(t2), result) - * ) - * } - * - * DataFlow::Node myType() { - * result = myType(DataFlow::TypeTracker::end()) - * } - * ``` - */ - pragma[inline] - TypeTracker smallstep(Node nodeFrom, Node nodeTo) { - result = this.smallstepNoSimpleLocalFlowStep(nodeFrom, nodeTo) - or - simpleLocalFlowStep(nodeFrom, nodeTo) and - result = this - } -} - -/** Provides predicates for implementing custom `TypeTracker`s. */ -deprecated module TypeTracker { - /** - * Gets a valid end point of type tracking. - */ - TypeTracker end() { result.end() } - - /** - * INTERNAL USE ONLY. - * - * Gets a valid end point of type tracking with the call bit set to the given value. - */ - predicate end = Cached::noContentTypeTracker/1; -} - -pragma[nomagic] -deprecated private predicate backStepProj(TypeTrackingNode nodeTo, StepSummary summary) { - step(_, nodeTo, summary) -} - -deprecated private predicate backSmallstepProj(TypeTrackingNode nodeTo, StepSummary summary) { - smallstep(_, nodeTo, summary) -} - -/** - * DEPRECATED: Use `codeql.ruby.typetracking.TypeTracking` instead. - * - * A summary of the steps needed to back-track a use of a value to a given dataflow node. - * - * This can for example be used to track callbacks that are passed to a certain API, - * so we can model specific parameters of that callback as having a certain type. - * - * Note that type back-tracking does not provide a source/sink relation, that is, - * it may determine that a node will be used in an API call somewhere, but it won't - * determine exactly where that use was, or the path that led to the use. - * - * It is recommended that all uses of this type are written in the following form, - * for back-tracking some callback type `myCallback`: - * - * ```ql - * DataFlow::TypeTrackingNode myCallback(DataFlow::TypeBackTracker t) { - * t.start() and - * result = (< some API call >).getArgument(< n >).getALocalSource() - * or - * exists (DataFlow::TypeBackTracker t2 | - * result = myCallback(t2).backtrack(t2, t) - * ) - * } - * - * DataFlow::TypeTrackingNode myCallback() { result = myCallback(DataFlow::TypeBackTracker::end()) } - * ``` - * - * Instead of `result = myCallback(t2).backtrack(t2, t)`, you can also use the equivalent - * `t2 = t.step(result, myCallback(t2))`. If you additionally want to track individual - * intra-procedural steps, use `t2 = t.smallstep(result, myCallback(t2))`. - */ -deprecated class TypeBackTracker extends TTypeBackTracker { - Boolean hasReturn; - OptionalTypeTrackerContent content; - - TypeBackTracker() { this = MkTypeBackTracker(hasReturn, content) } - - /** Gets the summary resulting from prepending `step` to this type-tracking summary. */ - TypeBackTracker prepend(StepSummary step) { result = prepend(this, step) } - - /** Gets a textual representation of this summary. */ - string toString() { - exists(string withReturn, string withContent | - (if hasReturn = true then withReturn = "with" else withReturn = "without") and - ( - if content != noContent() - then withContent = " with content " + content - else withContent = "" - ) and - result = "type back-tracker " + withReturn + " return steps" + withContent - ) - } - - /** - * Holds if this is the starting point of type tracking. - */ - predicate start() { hasReturn = false and content = noContent() } - - /** - * Holds if this is the end point of type tracking. - */ - predicate end() { content = noContent() } - - /** - * INTERNAL. DO NOT USE. - * - * Holds if this type has been back-tracked into a call through return edge. - */ - boolean hasReturn() { result = hasReturn } - - /** - * Gets a type tracker that starts where this one has left off to allow continued - * tracking. - * - * This predicate is only defined if the type has not been tracked into a piece of content. - */ - TypeBackTracker continue() { content = noContent() and result = this } - - /** - * Gets the summary that corresponds to having taken a backwards - * heap and/or inter-procedural step from `nodeTo` to `nodeFrom`. - */ - bindingset[nodeTo, result] - pragma[inline_late] - pragma[noopt] - TypeBackTracker step(TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo) { - exists(StepSummary summary | - backStepProj(nodeTo, summary) and - this = result.prepend(summary) and - step(nodeFrom, nodeTo, summary) - ) - } - - bindingset[nodeTo, result] - pragma[inline_late] - pragma[noopt] - private TypeBackTracker smallstepNoSimpleLocalFlowStep(Node nodeFrom, Node nodeTo) { - exists(StepSummary summary | - backSmallstepProj(nodeTo, summary) and - this = result.prepend(summary) and - smallstep(nodeFrom, nodeTo, summary) - ) - } - - /** - * Gets the summary that corresponds to having taken a backwards - * local, heap and/or inter-procedural step from `nodeTo` to `nodeFrom`. - * - * Unlike `TypeBackTracker::step`, this predicate exposes all edges - * in the flowgraph, and not just the edges between - * `TypeTrackingNode`s. It may therefore be less performant. - * - * Type tracking predicates using small steps typically take the following form: - * ```ql - * DataFlow::Node myType(DataFlow::TypeBackTracker t) { - * t.start() and - * result = < some API call >.getArgument(< n >) - * or - * exists (DataFlow::TypeBackTracker t2 | - * t = t2.smallstep(result, myType(t2)) - * ) - * } - * - * DataFlow::Node myType() { - * result = myType(DataFlow::TypeBackTracker::end()) - * } - * ``` - */ - pragma[inline] - TypeBackTracker smallstep(Node nodeFrom, Node nodeTo) { - this = this.smallstepNoSimpleLocalFlowStep(nodeFrom, nodeTo) - or - simpleLocalFlowStep(nodeFrom, nodeTo) and - this = result - } - - /** - * Gets a forwards summary that is compatible with this backwards summary. - * That is, if this summary describes the steps needed to back-track a value - * from `sink` to `mid`, and the result is a valid summary of the steps needed - * to track a value from `source` to `mid`, then the value from `source` may - * also flow to `sink`. - */ - TypeTracker getACompatibleTypeTracker() { - exists(boolean hasCall, OptionalTypeTrackerContent c | - result = MkTypeTracker(hasCall, c) and - ( - compatibleContents(c, content) - or - content = noContent() and c = content - ) - | - hasCall = false - or - this.hasReturn() = false - ) - } -} - -/** Provides predicates for implementing custom `TypeBackTracker`s. */ -deprecated module TypeBackTracker { - /** - * Gets a valid end point of type back-tracking. - */ - TypeBackTracker end() { result.end() } -} - -/** - * INTERNAL: Do not use. - * - * Provides logic for constructing a call graph in mutual recursion with type tracking. - * - * When type tracking is used to construct a call graph, we cannot use the join-order - * from `stepInlineLate`, because `step` becomes a recursive call, which means that we - * will have a conjunct with 3 recursive calls: the call to `step`, the call to `stepProj`, - * and the recursive type tracking call itself. The solution is to split the three-way - * non-linear recursion into two non-linear predicates: one that first joins with the - * projected `stepCall` relation, followed by a predicate that joins with the full - * `stepCall` relation (`stepNoCall` not being recursive, can be join-ordered in the - * same way as in `stepInlineLate`). - */ -deprecated module CallGraphConstruction { - /** The input to call graph construction. */ - signature module InputSig { - /** A state to track during type tracking. */ - class State; - - /** Holds if type tracking should start at `start` in state `state`. */ - deprecated predicate start(Node start, State state); - - /** - * Holds if type tracking should use the step from `nodeFrom` to `nodeTo`, - * which _does not_ depend on the call graph. - * - * Implementing this predicate using `StepSummary::[small]stepNoCall` yields - * standard type tracking. - */ - deprecated predicate stepNoCall(Node nodeFrom, Node nodeTo, StepSummary summary); - - /** - * Holds if type tracking should use the step from `nodeFrom` to `nodeTo`, - * which _does_ depend on the call graph. - * - * Implementing this predicate using `StepSummary::[small]stepCall` yields - * standard type tracking. - */ - deprecated predicate stepCall(Node nodeFrom, Node nodeTo, StepSummary summary); - - /** A projection of an element from the state space. */ - class StateProj; - - /** Gets the projection of `state`. */ - StateProj stateProj(State state); - - /** Holds if type tracking should stop at `n` when we are tracking projected state `stateProj`. */ - deprecated predicate filter(Node n, StateProj stateProj); - } - - /** Provides the `track` predicate for use in call graph construction. */ - module Make { - pragma[nomagic] - deprecated private predicate stepNoCallProj(Node nodeFrom, StepSummary summary) { - Input::stepNoCall(nodeFrom, _, summary) - } - - pragma[nomagic] - deprecated private predicate stepCallProj(Node nodeFrom, StepSummary summary) { - Input::stepCall(nodeFrom, _, summary) - } - - bindingset[nodeFrom, t] - pragma[inline_late] - pragma[noopt] - deprecated private TypeTracker stepNoCallInlineLate( - TypeTracker t, TypeTrackingNode nodeFrom, TypeTrackingNode nodeTo - ) { - exists(StepSummary summary | - stepNoCallProj(nodeFrom, summary) and - result = t.append(summary) and - Input::stepNoCall(nodeFrom, nodeTo, summary) - ) - } - - bindingset[state] - pragma[inline_late] - private Input::StateProj stateProjInlineLate(Input::State state) { - result = Input::stateProj(state) - } - - pragma[nomagic] - deprecated private Node track(Input::State state, TypeTracker t) { - t.start() and Input::start(result, state) - or - exists(Input::StateProj stateProj | - stateProj = stateProjInlineLate(state) and - not Input::filter(result, stateProj) - | - exists(TypeTracker t2 | t = stepNoCallInlineLate(t2, track(state, t2), result)) - or - exists(StepSummary summary | - // non-linear recursion - Input::stepCall(trackCall(state, t, summary), result, summary) - ) - ) - } - - bindingset[t, summary] - pragma[inline_late] - deprecated private TypeTracker appendInlineLate(TypeTracker t, StepSummary summary) { - result = t.append(summary) - } - - pragma[nomagic] - deprecated private Node trackCall(Input::State state, TypeTracker t, StepSummary summary) { - exists(TypeTracker t2 | - // non-linear recursion - result = track(state, t2) and - stepCallProj(result, summary) and - t = appendInlineLate(t2, summary) - ) - } - - /** Gets a node that can be reached from _some_ start node in state `state`. */ - pragma[nomagic] - deprecated Node track(Input::State state) { result = track(state, TypeTracker::end()) } - } - - /** A simple version of `CallGraphConstruction` that uses standard type tracking. */ - module Simple { - /** The input to call graph construction. */ - signature module InputSig { - /** A state to track during type tracking. */ - class State; - - /** Holds if type tracking should start at `start` in state `state`. */ - deprecated predicate start(Node start, State state); - - /** Holds if type tracking should stop at `n`. */ - deprecated predicate filter(Node n); - } - - /** Provides the `track` predicate for use in call graph construction. */ - module Make { - deprecated private module I implements CallGraphConstruction::InputSig { - private import codeql.util.Unit - - class State = Input::State; - - predicate start(Node start, State state) { Input::start(start, state) } - - predicate stepNoCall(Node nodeFrom, Node nodeTo, StepSummary summary) { - StepSummary::stepNoCall(nodeFrom, nodeTo, summary) - } - - predicate stepCall(Node nodeFrom, Node nodeTo, StepSummary summary) { - StepSummary::stepCall(nodeFrom, nodeTo, summary) - } - - class StateProj = Unit; - - Unit stateProj(State state) { exists(state) and exists(result) } - - predicate filter(Node n, Unit u) { - Input::filter(n) and - exists(u) - } - } - - deprecated import CallGraphConstruction::Make - } - } -} diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll index df92128b608b..c92180d134ed 100644 --- a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll +++ b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll @@ -2,134 +2,3 @@ private import codeql.ruby.dataflow.internal.DataFlowPublic as DataFlowPublic private import codeql.ruby.dataflow.internal.DataFlowPrivate as DataFlowPrivate private import internal.TypeTrackingImpl as TypeTrackingImpl deprecated import codeql.util.Boolean - -deprecated class Node = DataFlowPublic::Node; - -deprecated class TypeTrackingNode = DataFlowPublic::LocalSourceNode; - -deprecated class TypeTrackerContent = DataFlowPublic::ContentSet; - -/** - * An optional content set, that is, a `ContentSet` or the special "no content set" value. - */ -deprecated class OptionalTypeTrackerContent extends DataFlowPrivate::TOptionalContentSet { - /** Gets a textual representation of this content set. */ - string toString() { - this instanceof DataFlowPrivate::TNoContentSet and - result = "no content" - or - result = this.(DataFlowPublic::ContentSet).toString() - } -} - -/** - * A label to use for `WithContent` and `WithoutContent` steps, restricting - * which `ContentSet` may pass through. - */ -deprecated class ContentFilter = TypeTrackingImpl::TypeTrackingInput::ContentFilter; - -/** Module for getting `ContentFilter` values. */ -deprecated module ContentFilter { - /** Gets the filter that only allow element contents. */ - ContentFilter hasElements() { any() } -} - -/** - * Holds if a value stored with `storeContents` can be read back with `loadContents`. - */ -pragma[inline] -deprecated predicate compatibleContents( - TypeTrackerContent storeContents, TypeTrackerContent loadContents -) { - storeContents.getAStoreContent() = loadContents.getAReadContent() -} - -/** Gets the "no content set" value to use for a type tracker not inside any content. */ -deprecated OptionalTypeTrackerContent noContent() { result = DataFlowPrivate::TNoContentSet() } - -/** Holds if there is a simple local flow step from `nodeFrom` to `nodeTo` */ -deprecated predicate simpleLocalFlowStep = - TypeTrackingImpl::TypeTrackingInput::simpleLocalSmallStep/2; - -/** - * Holds if data can flow from `node1` to `node2` in a way that discards call contexts. - */ -deprecated predicate jumpStep = TypeTrackingImpl::TypeTrackingInput::jumpStep/2; - -/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which may depend on the call graph. */ -deprecated predicate levelStepCall = TypeTrackingImpl::TypeTrackingInput::levelStepCall/2; - -/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which does not depend on the call graph. */ -deprecated predicate levelStepNoCall = TypeTrackingImpl::TypeTrackingInput::levelStepNoCall/2; - -/** - * Holds if `nodeFrom` steps to `nodeTo` by being passed as a parameter in a call. - * - * Flow into summarized library methods is not included, as that will lead to negative - * recursion (or, at best, terrible performance), since identifying calls to library - * methods is done using API graphs (which uses type tracking). - */ -deprecated predicate callStep = TypeTrackingImpl::TypeTrackingInput::callStep/2; - -/** - * Holds if `nodeFrom` steps to `nodeTo` by being returned from a call. - * - * Flow out of summarized library methods is not included, as that will lead to negative - * recursion (or, at best, terrible performance), since identifying calls to library - * methods is done using API graphs (which uses type tracking). - */ -deprecated predicate returnStep = TypeTrackingImpl::TypeTrackingInput::returnStep/2; - -/** - * Holds if `nodeFrom` is being written to the `contents` of the object - * in `nodeTo`. - * - * Note that the choice of `nodeTo` does not have to make sense - * "chronologically". All we care about is whether the `contents` of - * `nodeTo` can have a specific type, and the assumption is that if a specific - * type appears here, then any access of that particular content can yield - * something of that particular type. - * - * Thus, in an example such as - * - * ```rb - * def foo(y) - * x = Foo.new - * bar(x) - * x.content = y - * baz(x) - * end - * - * def bar(x) - * z = x.content - * end - * ``` - * for the content write `x.content = y`, we will have `contents` being the - * literal string `"content"`, `nodeFrom` will be `y`, and `nodeTo` will be the - * `Foo` object created on the first line of the function. This means we will - * track the fact that `x.content` can have the type of `y` into the assignment - * to `z` inside `bar`, even though this content write happens _after_ `bar` is - * called. - */ -deprecated predicate basicStoreStep = TypeTrackingImpl::TypeTrackingInput::storeStep/3; - -/** - * Holds if `nodeTo` is the result of accessing the `content` content of `nodeFrom`. - */ -deprecated predicate basicLoadStep = TypeTrackingImpl::TypeTrackingInput::loadStep/3; - -/** - * Holds if the `loadContent` of `nodeFrom` is stored in the `storeContent` of `nodeTo`. - */ -deprecated predicate basicLoadStoreStep = TypeTrackingImpl::TypeTrackingInput::loadStoreStep/4; - -/** - * Holds if type-tracking should step from `nodeFrom` to `nodeTo` but block flow of contents matched by `filter` through here. - */ -deprecated predicate basicWithoutContentStep = - TypeTrackingImpl::TypeTrackingInput::withoutContentStep/3; - -/** - * Holds if type-tracking should step from `nodeFrom` to `nodeTo` if inside a content matched by `filter`. - */ -deprecated predicate basicWithContentStep = TypeTrackingImpl::TypeTrackingInput::withContentStep/3; diff --git a/ruby/ql/test/library-tests/frameworks/Twirp/Twirp.ql b/ruby/ql/test/library-tests/frameworks/Twirp/Twirp.ql index fee49cbb48c2..2e1382356abc 100644 --- a/ruby/ql/test/library-tests/frameworks/Twirp/Twirp.ql +++ b/ruby/ql/test/library-tests/frameworks/Twirp/Twirp.ql @@ -4,5 +4,3 @@ private import codeql.ruby.DataFlow query predicate sourceTest(Twirp::UnmarshaledParameter source) { any() } query predicate ssrfSinkTest(Twirp::ServiceUrlAsSsrfSink sink) { any() } - -deprecated query predicate serviceInstantiationTest(Twirp::ServiceInstantiation si) { any() } diff --git a/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.ql b/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.ql index 348ca1456e2f..994c62c53628 100644 --- a/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.ql +++ b/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.ql @@ -9,22 +9,12 @@ query predicate activeRecordInstances(ActiveRecordInstance i) { any() } query predicate activeRecordSqlExecutionRanges(ActiveRecordSqlExecutionRange range) { any() } -deprecated query predicate activeRecordModelClassMethodCalls(ActiveRecordModelClassMethodCall call) { - any() -} - query predicate activeRecordModelClassMethodCallsReplacement( ActiveRecordModelClass cls, DataFlow::CallNode call ) { call = cls.getClassNode().trackModule().getAMethodCall(_) } -deprecated query predicate potentiallyUnsafeSqlExecutingMethodCall( - PotentiallyUnsafeSqlExecutingMethodCall call -) { - any() -} - query predicate activeRecordModelInstantiations( ActiveRecordModelInstantiation i, ActiveRecordModelClass cls ) { diff --git a/ruby/ql/test/library-tests/frameworks/active_resource/ActiveResource.ql b/ruby/ql/test/library-tests/frameworks/active_resource/ActiveResource.ql index f1898ddbc985..cb96ee44d983 100644 --- a/ruby/ql/test/library-tests/frameworks/active_resource/ActiveResource.ql +++ b/ruby/ql/test/library-tests/frameworks/active_resource/ActiveResource.ql @@ -14,8 +14,6 @@ query predicate modelClasses( query predicate modelClassMethodCalls(ActiveResource::ModelClassMethodCall c) { any() } -deprecated query predicate modelInstances(ActiveResource::ModelInstance c) { any() } - query predicate modelInstancesAsSource( ActiveResource::ModelClassNode cls, DataFlow::LocalSourceNode node ) { @@ -24,6 +22,4 @@ query predicate modelInstancesAsSource( query predicate modelInstanceMethodCalls(ActiveResource::ModelInstanceMethodCall c) { any() } -deprecated query predicate collections(ActiveResource::Collection c) { any() } - query predicate collectionSources(ActiveResource::CollectionSource c) { any() } diff --git a/shared/dataflow/codeql/dataflow/DataFlow.qll b/shared/dataflow/codeql/dataflow/DataFlow.qll index 7c437adabb84..0b6ed84da365 100644 --- a/shared/dataflow/codeql/dataflow/DataFlow.qll +++ b/shared/dataflow/codeql/dataflow/DataFlow.qll @@ -703,11 +703,6 @@ module DataFlowMake Lang> { import Impl } - /** DEPRECATED: Use `Global` instead. */ - deprecated module Make implements GlobalFlowSig { - import Global - } - /** * Constructs a global data flow computation using flow state. */ @@ -731,11 +726,6 @@ module DataFlowMake Lang> { import Impl } - /** DEPRECATED: Use `GlobalWithState` instead. */ - deprecated module MakeWithState implements GlobalFlowSig { - import GlobalWithState - } - signature class PathNodeSig { /** Gets a textual representation of this element. */ string toString(); diff --git a/shared/dataflow/codeql/dataflow/TaintTracking.qll b/shared/dataflow/codeql/dataflow/TaintTracking.qll index 8247255038c0..491d7794382b 100644 --- a/shared/dataflow/codeql/dataflow/TaintTracking.qll +++ b/shared/dataflow/codeql/dataflow/TaintTracking.qll @@ -97,11 +97,6 @@ module TaintFlowMake< import DataFlowInternal::Impl } - /** DEPRECATED: Use `Global` instead. */ - deprecated module Make implements DataFlow::GlobalFlowSig { - import Global - } - /** * Constructs a global taint tracking computation using flow state. */ @@ -130,13 +125,6 @@ module TaintFlowMake< import DataFlowInternal::Impl } - /** DEPRECATED: Use `GlobalWithState` instead. */ - deprecated module MakeWithState implements - DataFlow::GlobalFlowSig - { - import GlobalWithState - } - signature int speculationLimitSig(); private module AddSpeculativeTaintSteps< diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 9fc19c384d87..2b69e583d28c 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -4614,9 +4614,6 @@ module MakeImpl Lang> { import S6 - /** DEPRECATED: Use `flowPath` instead. */ - deprecated predicate hasFlowPath = flowPath/2; - /** * Holds if data can flow from `source` to `sink`. */ @@ -4626,25 +4623,16 @@ module MakeImpl Lang> { ) } - /** DEPRECATED: Use `flow` instead. */ - deprecated predicate hasFlow = flow/2; - /** * Holds if data can flow from some source to `sink`. */ predicate flowTo(Node sink) { exists(PathNode n | n.isSink() and n.getNode() = sink) } - /** DEPRECATED: Use `flowTo` instead. */ - deprecated predicate hasFlowTo = flowTo/1; - /** * Holds if data can flow from some source to `sink`. */ predicate flowToExpr(DataFlowExpr sink) { flowTo(exprNode(sink)) } - /** DEPRECATED: Use `flowToExpr` instead. */ - deprecated predicate hasFlowToExpr = flowToExpr/1; - /** * INTERNAL: Only for debugging. * diff --git a/shared/typetracking/codeql/typetracking/TypeTracking.qll b/shared/typetracking/codeql/typetracking/TypeTracking.qll index 691480072d4e..7a411adb6333 100644 --- a/shared/typetracking/codeql/typetracking/TypeTracking.qll +++ b/shared/typetracking/codeql/typetracking/TypeTracking.qll @@ -137,8 +137,6 @@ module TypeTracking I> { private module ConsistencyChecksInput implements MkImpl::ConsistencyChecksInputSig { } - deprecated module ConsistencyChecks = MkImpl::ConsistencyChecks; - class TypeTracker = MkImpl::TypeTracker; module TypeTracker = MkImpl::TypeTracker; diff --git a/shared/typetracking/codeql/typetracking/internal/TypeTrackingImpl.qll b/shared/typetracking/codeql/typetracking/internal/TypeTrackingImpl.qll index 5487561439ec..b36edca04e7c 100644 --- a/shared/typetracking/codeql/typetracking/internal/TypeTrackingImpl.qll +++ b/shared/typetracking/codeql/typetracking/internal/TypeTrackingImpl.qll @@ -830,13 +830,6 @@ module TypeTracking I> { private predicate stepPlus(PathNode n1, PathNode n2) = fastTC(edges/2)(n1, n2) - /** - * DEPRECATED: Use `flowPath` instead. - * - * Holds if there is a path between `source` and `sink`. - */ - deprecated predicate hasFlow(PathNode source, PathNode sink) { flowPath(source, sink) } - /** Holds if there is a path between `source` and `sink`. */ predicate flowPath(PathNode source, PathNode sink) { source.isSource() and diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll index faff53f06749..b14bd5d5f592 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll @@ -250,11 +250,6 @@ module Content { override string toString() { result = "Collection element" } } - /** - * DEPRECATED: An element of a collection. This is an alias for the general CollectionContent. - */ - deprecated class ArrayContent = CollectionContent; - /** A captured variable. */ class CapturedVariableContent extends Content, TCapturedVariableContent { CapturedVariable v; diff --git a/swift/ql/lib/codeql/swift/regex/Regex.qll b/swift/ql/lib/codeql/swift/regex/Regex.qll index 36be99e4a71b..f2abba2e4f2b 100644 --- a/swift/ql/lib/codeql/swift/regex/Regex.qll +++ b/swift/ql/lib/codeql/swift/regex/Regex.qll @@ -73,11 +73,6 @@ abstract class RegexCreation extends DataFlow::Node { * such as parse mode flags (if any). */ DataFlow::Node getAnOptionsInput() { none() } - - /** - * DEPRECATED: Use `getAnOptionsInput()` instead. - */ - deprecated DataFlow::Node getOptionsInput() { result = this.getAnOptionsInput() } } /** @@ -309,21 +304,11 @@ abstract class RegexEval extends CallExpr { */ abstract DataFlow::Node getRegexInputNode(); - /** - * DEPRECATED: Use `getRegexInputNode()` instead. - */ - deprecated Expr getRegexInput() { result = this.getRegexInputNode().asExpr() } - /** * Gets the input to this call that is the string the regular expression is evaluated on. */ abstract DataFlow::Node getStringInputNode(); - /** - * DEPRECATED: Use `getStringInputNode()` instead. - */ - deprecated Expr getStringInput() { result = this.getStringInputNode().asExpr() } - /** * Gets a dataflow node for an options input that might contain options such * as parse mode flags (if any). From bd8ed1dc048088ff557ded2261a841d4cfe2ee7b Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Mon, 27 Jan 2025 18:27:18 +0100 Subject: [PATCH 2/9] cpp: revert two cpp dataflow deprecations that take more work --- cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll | 13 +++++++++++++ .../lib/semmle/code/cpp/dataflow/TaintTracking.qll | 14 ++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll index b8262141dc8b..a478da5193e0 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll @@ -18,3 +18,16 @@ */ import cpp + +/** + * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead. + * + * Provides classes for performing local (intra-procedural) and + * global (inter-procedural) data flow analyses. + */ +deprecated module DataFlow { + private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific + private import codeql.dataflow.DataFlow + import DataFlowMake + import Public +} diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll index 238a05e55d04..36af8d9660bb 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll @@ -16,3 +16,17 @@ */ import semmle.code.cpp.dataflow.DataFlow + +/** + * DEPRECATED: Use `semmle.code.cpp.dataflow.new.TaintTracking` instead. + * + * Provides classes for performing local (intra-procedural) and + * global (inter-procedural) taint-tracking analyses. + */ +deprecated module TaintTracking { + import semmle.code.cpp.dataflow.internal.TaintTrackingUtil + private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific + private import semmle.code.cpp.dataflow.internal.TaintTrackingImplSpecific + private import codeql.dataflow.TaintTracking + import TaintFlowMake +} From 7b1b366d98f2818c2f012a058a6f83986e077cbb Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Mon, 27 Jan 2025 18:45:30 +0100 Subject: [PATCH 3/9] ruby: update ruby tests after deleting deprecated test predicates --- .../frameworks/Twirp/Twirp.expected | 3 - .../active_record/ActiveRecord.expected | 93 ------------------- .../active_resource/ActiveResource.expected | 30 ------ 3 files changed, 126 deletions(-) diff --git a/ruby/ql/test/library-tests/frameworks/Twirp/Twirp.expected b/ruby/ql/test/library-tests/frameworks/Twirp/Twirp.expected index 4f1b0c309203..2481d5c5a248 100644 --- a/ruby/ql/test/library-tests/frameworks/Twirp/Twirp.expected +++ b/ruby/ql/test/library-tests/frameworks/Twirp/Twirp.expected @@ -3,6 +3,3 @@ sourceTest | hello_world_server.rb:32:18:32:20 | req | ssrfSinkTest | hello_world_client.rb:6:47:6:75 | "http://localhost:8080/twirp" | -serviceInstantiationTest -| hello_world_server.rb:24:11:24:61 | call to new | -| hello_world_server.rb:38:1:38:57 | call to new | diff --git a/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.expected b/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.expected index 5dd0dbd9a150..6b6fdbf22fac 100644 --- a/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.expected +++ b/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.expected @@ -146,87 +146,6 @@ activeRecordSqlExecutionRanges | ActiveRecord.rb:73:20:73:39 | "username = #{...}" | | ActiveRecord.rb:85:21:85:44 | ...[...] | | ActiveRecord.rb:123:27:123:76 | "this is an unsafe annotation:..." | -activeRecordModelClassMethodCalls -| ActiveRecord.rb:2:3:2:17 | call to has_many | -| ActiveRecord.rb:6:3:6:24 | call to belongs_to | -| ActiveRecord.rb:9:5:9:68 | call to find | -| ActiveRecord.rb:13:5:13:40 | call to find_by | -| ActiveRecord.rb:13:5:13:46 | call to users | -| ActiveRecord.rb:36:5:36:25 | call to destroy_by | -| ActiveRecord.rb:45:5:45:45 | call to calculate | -| ActiveRecord.rb:46:5:46:43 | call to delete_by | -| ActiveRecord.rb:47:5:47:46 | call to destroy_by | -| ActiveRecord.rb:48:5:48:35 | call to where | -| ActiveRecord.rb:51:5:51:14 | call to where | -| ActiveRecord.rb:51:5:51:48 | call to not | -| ActiveRecord.rb:53:5:53:30 | call to find_by_name | -| ActiveRecord.rb:54:5:54:36 | call to not_a_find_by_method | -| ActiveRecord.rb:63:5:63:33 | call to delete_by | -| ActiveRecord.rb:69:5:69:29 | call to order | -| ActiveRecord.rb:73:7:73:40 | call to find_by | -| ActiveRecord.rb:77:5:77:33 | call to find_by | -| ActiveRecord.rb:79:5:79:34 | call to find | -| ActiveRecord.rb:89:5:89:24 | call to create | -| ActiveRecord.rb:93:5:93:66 | call to create | -| ActiveRecord.rb:97:5:97:68 | call to create | -| ActiveRecord.rb:101:5:101:16 | call to create | -| ActiveRecord.rb:105:5:105:27 | call to update | -| ActiveRecord.rb:109:5:109:69 | call to update | -| ActiveRecord.rb:113:5:113:71 | call to update | -| ActiveRecord.rb:119:13:119:54 | call to annotate | -| ActiveRecord.rb:123:13:123:77 | call to annotate | -| associations.rb:2:3:2:17 | call to has_many | -| associations.rb:6:3:6:20 | call to belongs_to | -| associations.rb:7:3:7:20 | call to has_many | -| associations.rb:8:3:8:31 | call to has_and_belongs_to_many | -| associations.rb:12:3:12:32 | call to has_and_belongs_to_many | -| associations.rb:16:3:16:18 | call to belongs_to | -| associations.rb:19:11:19:20 | call to new | -| associations.rb:21:9:21:21 | call to posts | -| associations.rb:21:9:21:28 | call to create | -| associations.rb:23:12:23:25 | call to comments | -| associations.rb:23:12:23:32 | call to create | -| associations.rb:25:11:25:22 | call to author | -| associations.rb:27:9:27:21 | call to posts | -| associations.rb:27:9:27:28 | call to create | -| associations.rb:29:1:29:13 | call to posts | -| associations.rb:29:1:29:22 | ... << ... | -| associations.rb:31:1:31:12 | call to author= | -| associations.rb:35:1:35:14 | call to comments | -| associations.rb:35:1:35:21 | call to create | -| associations.rb:35:1:35:28 | call to create | -| associations.rb:37:1:37:13 | call to posts | -| associations.rb:37:1:37:20 | call to reload | -| associations.rb:37:1:37:27 | call to create | -| associations.rb:39:1:39:15 | call to build_tag | -| associations.rb:40:1:40:15 | call to build_tag | -| associations.rb:42:1:42:13 | call to posts | -| associations.rb:42:1:42:25 | call to push | -| associations.rb:43:1:43:13 | call to posts | -| associations.rb:43:1:43:27 | call to concat | -| associations.rb:44:1:44:13 | call to posts | -| associations.rb:44:1:44:19 | call to build | -| associations.rb:45:1:45:13 | call to posts | -| associations.rb:45:1:45:20 | call to create | -| associations.rb:46:1:46:13 | call to posts | -| associations.rb:46:1:46:21 | call to create! | -| associations.rb:47:1:47:13 | call to posts | -| associations.rb:47:1:47:20 | call to delete | -| associations.rb:48:1:48:13 | call to posts | -| associations.rb:48:1:48:24 | call to delete_all | -| associations.rb:49:1:49:13 | call to posts | -| associations.rb:49:1:49:21 | call to destroy | -| associations.rb:50:1:50:13 | call to posts | -| associations.rb:50:1:50:25 | call to destroy_all | -| associations.rb:51:1:51:13 | call to posts | -| associations.rb:51:1:51:22 | call to distinct | -| associations.rb:51:1:51:36 | call to find | -| associations.rb:52:1:52:13 | call to posts | -| associations.rb:52:1:52:19 | call to reset | -| associations.rb:52:1:52:33 | call to find | -| associations.rb:53:1:53:13 | call to posts | -| associations.rb:53:1:53:20 | call to reload | -| associations.rb:53:1:53:34 | call to find | activeRecordModelClassMethodCallsReplacement | ActiveRecord.rb:1:1:3:3 | UserGroup | ActiveRecord.rb:2:3:2:17 | call to has_many | | ActiveRecord.rb:1:1:3:3 | UserGroup | ActiveRecord.rb:13:5:13:40 | call to find_by | @@ -272,18 +191,6 @@ activeRecordModelClassMethodCallsReplacement | associations.rb:5:1:9:3 | Post | associations.rb:8:3:8:31 | call to has_and_belongs_to_many | | associations.rb:11:1:13:3 | Tag | associations.rb:12:3:12:32 | call to has_and_belongs_to_many | | associations.rb:15:1:17:3 | Comment | associations.rb:16:3:16:18 | call to belongs_to | -potentiallyUnsafeSqlExecutingMethodCall -| ActiveRecord.rb:9:5:9:68 | call to find | -| ActiveRecord.rb:36:5:36:25 | call to destroy_by | -| ActiveRecord.rb:45:5:45:45 | call to calculate | -| ActiveRecord.rb:46:5:46:43 | call to delete_by | -| ActiveRecord.rb:47:5:47:46 | call to destroy_by | -| ActiveRecord.rb:48:5:48:35 | call to where | -| ActiveRecord.rb:51:5:51:48 | call to not | -| ActiveRecord.rb:63:5:63:33 | call to delete_by | -| ActiveRecord.rb:69:5:69:29 | call to order | -| ActiveRecord.rb:73:7:73:40 | call to find_by | -| ActiveRecord.rb:123:13:123:77 | call to annotate | activeRecordModelInstantiations | ActiveRecord.rb:9:5:9:68 | call to find | ActiveRecord.rb:5:1:32:3 | User | | ActiveRecord.rb:13:5:13:40 | call to find_by | ActiveRecord.rb:1:1:3:3 | UserGroup | diff --git a/ruby/ql/test/library-tests/frameworks/active_resource/ActiveResource.expected b/ruby/ql/test/library-tests/frameworks/active_resource/ActiveResource.expected index e6d3b056971f..ea867bc01919 100644 --- a/ruby/ql/test/library-tests/frameworks/active_resource/ActiveResource.expected +++ b/ruby/ql/test/library-tests/frameworks/active_resource/ActiveResource.expected @@ -10,29 +10,6 @@ modelClassMethodCalls | active_resource.rb:23:10:23:19 | call to all | | active_resource.rb:24:10:24:26 | call to find | | active_resource.rb:30:3:30:11 | call to site= | -modelInstances -| active_resource.rb:5:1:5:5 | alice | -| active_resource.rb:5:1:5:33 | ... = ... | -| active_resource.rb:5:9:5:33 | call to new | -| active_resource.rb:6:1:6:5 | alice | -| active_resource.rb:8:1:8:5 | alice | -| active_resource.rb:8:1:8:22 | ... = ... | -| active_resource.rb:8:9:8:22 | call to find | -| active_resource.rb:9:1:9:5 | alice | -| active_resource.rb:10:1:10:5 | alice | -| active_resource.rb:12:1:12:5 | alice | -| active_resource.rb:16:1:16:23 | call to new | -| active_resource.rb:17:1:17:5 | alice | -| active_resource.rb:18:1:18:22 | call to get | -| active_resource.rb:19:1:19:5 | alice | -| active_resource.rb:24:1:24:6 | people | -| active_resource.rb:24:1:24:26 | ... = ... | -| active_resource.rb:24:10:24:26 | call to find | -| active_resource.rb:26:1:26:5 | alice | -| active_resource.rb:26:1:26:20 | ... = ... | -| active_resource.rb:26:9:26:14 | people | -| active_resource.rb:26:9:26:20 | call to first | -| active_resource.rb:27:1:27:5 | alice | modelInstancesAsSource | active_resource.rb:1:1:3:3 | Person | active_resource.rb:5:9:5:33 | call to new | | active_resource.rb:1:1:3:3 | Person | active_resource.rb:8:9:8:22 | call to find | @@ -50,13 +27,6 @@ modelInstanceMethodCalls | active_resource.rb:19:1:19:19 | call to delete | | active_resource.rb:26:9:26:20 | call to first | | active_resource.rb:27:1:27:10 | call to save | -collections -| active_resource.rb:23:1:23:19 | ... = ... | -| active_resource.rb:23:10:23:19 | call to all | -| active_resource.rb:24:1:24:6 | people | -| active_resource.rb:24:1:24:26 | ... = ... | -| active_resource.rb:24:10:24:26 | call to find | -| active_resource.rb:26:9:26:14 | people | collectionSources | active_resource.rb:23:10:23:19 | call to all | | active_resource.rb:24:10:24:26 | call to find | From 0056e923ea30d8f2e3976a2a5e2c3c895b5a7eb2 Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Mon, 27 Jan 2025 18:52:30 +0100 Subject: [PATCH 4/9] js: revert the JS deprecations. The old dataflow library is not that old yet --- .../lib/semmle/javascript/ES2015Modules.qll | 27 +++++++ javascript/ql/lib/semmle/javascript/Expr.qll | 11 +++ .../dataflow/BrokenCryptoAlgorithmQuery.qll | 16 ++++ .../dataflow/BuildArtifactLeakQuery.qll | 21 +++++ .../CleartextLoggingCustomizations.qll | 21 ++++- .../dataflow/CleartextLoggingQuery.qll | 21 +++++ .../dataflow/CleartextStorageQuery.qll | 13 ++++ .../ClientSideRequestForgeryQuery.qll | 27 +++++++ .../dataflow/ClientSideUrlRedirectQuery.qll | 45 +++++++++++ .../security/dataflow/CodeInjectionQuery.qll | 20 +++++ .../dataflow/CommandInjectionQuery.qll | 13 ++++ .../dataflow/ConditionalBypassQuery.qll | 78 +++++++++++++++++++ ...orsMisconfigurationForCredentialsQuery.qll | 20 +++++ .../DeepObjectResourceExhaustionQuery.qll | 30 +++++++ .../dataflow/DomBasedXssCustomizations.qll | 7 ++ .../security/dataflow/DomBasedXssQuery.qll | 34 ++++++++ .../security/dataflow/ExceptionXssQuery.qll | 30 +++++++ .../ExternalAPIUsedWithUntrustedDataQuery.qll | 49 ++++++++++++ .../dataflow/FileAccessToHttpQuery.qll | 24 ++++++ .../dataflow/HardcodedCredentialsQuery.qll | 22 ++++++ .../HardcodedDataInterpretedAsCodeQuery.qll | 17 ++++ ...tHeaderPoisoningInEmailGenerationQuery.qll | 11 +++ .../dataflow/HttpToFileAccessQuery.qll | 16 ++++ .../ImproperCodeSanitizationQuery.qll | 13 ++++ ...completeHtmlAttributeSanitizationQuery.qll | 32 ++++++++ .../IndirectCommandInjectionQuery.qll | 23 ++++++ .../dataflow/InsecureDownloadQuery.qll | 20 +++++ .../dataflow/InsecureRandomnessQuery.qll | 25 ++++++ .../dataflow/InsecureTemporaryFileQuery.qll | 16 ++++ .../InsufficientPasswordHashQuery.qll | 16 ++++ .../security/dataflow/LogInjectionQuery.qll | 13 ++++ .../dataflow/LoopBoundInjectionQuery.qll | 28 +++++++ .../security/dataflow/NosqlInjectionQuery.qll | 34 ++++++++ .../dataflow/PostMessageStarQuery.qll | 45 +++++++++++ .../PrototypePollutingAssignmentQuery.qll | 72 +++++++++++++++++ .../dataflow/PrototypePollutionQuery.qll | 40 ++++++++++ .../security/dataflow/ReflectedXssQuery.qll | 21 +++++ .../dataflow/RegExpInjectionQuery.qll | 16 ++++ .../dataflow/RemotePropertyInjectionQuery.qll | 17 ++++ .../security/dataflow/RequestForgeryQuery.qll | 25 ++++++ .../dataflow/ResourceExhaustionQuery.qll | 25 ++++++ .../SecondOrderCommandInjectionQuery.qll | 29 +++++++ .../dataflow/ServerSideUrlRedirectQuery.qll | 29 +++++++ ...llCommandInjectionFromEnvironmentQuery.qll | 20 +++++ .../security/dataflow/SqlInjectionQuery.qll | 20 +++++ .../dataflow/StackTraceExposureQuery.qll | 17 ++++ .../security/dataflow/StoredXssQuery.qll | 21 +++++ .../dataflow/TaintedFormatStringQuery.qll | 16 ++++ .../dataflow/TaintedPathCustomizations.qll | 2 + .../security/dataflow/TaintedPathQuery.qll | 31 ++++++++ .../dataflow/TemplateObjectInjectionQuery.qll | 27 +++++++ ...onfusionThroughParameterTamperingQuery.qll | 22 ++++++ .../dataflow/UnsafeCodeConstruction.qll | 29 +++++++ .../dataflow/UnsafeDeserializationQuery.qll | 16 ++++ .../UnsafeDynamicMethodAccessQuery.qll | 36 +++++++++ .../dataflow/UnsafeHtmlConstructionQuery.qll | 3 + .../dataflow/UnsafeJQueryPluginQuery.qll | 41 ++++++++++ .../UnsafeShellCommandConstructionQuery.qll | 30 +++++++ ...lidatedDynamicMethodCallCustomizations.qll | 12 +++ .../UnvalidatedDynamicMethodCallQuery.qll | 34 ++++++++ .../security/dataflow/XmlBombQuery.qll | 16 ++++ .../security/dataflow/XpathInjectionQuery.qll | 16 ++++ .../security/dataflow/XssThroughDomQuery.qll | 40 ++++++++++ .../javascript/security/dataflow/XxeQuery.qll | 16 ++++ .../security/dataflow/ZipSlipQuery.qll | 30 +++++++ .../security/regexp/PolynomialReDoSQuery.qll | 31 ++++++++ .../experimental/Security/CWE-918/SSRF.qll | 7 ++ .../frameworks/Templating/XssDiff.ql | 3 + 68 files changed, 1647 insertions(+), 1 deletion(-) diff --git a/javascript/ql/lib/semmle/javascript/ES2015Modules.qll b/javascript/ql/lib/semmle/javascript/ES2015Modules.qll index 7a2c69e8b3c0..cc84fb87324d 100644 --- a/javascript/ql/lib/semmle/javascript/ES2015Modules.qll +++ b/javascript/ql/lib/semmle/javascript/ES2015Modules.qll @@ -104,6 +104,18 @@ class ImportDeclaration extends Stmt, Import, @import_declaration { */ ObjectExpr getImportAttributes() { result = this.getChildExpr(-10) } + /** + * DEPRECATED: use `getImportAttributes` instead. + * Gets the object literal passed as part of the `with` (or `assert`) clause in this import declaration. + * + * For example, this gets the `{ type: "json" }` object literal in the following: + * ```js + * import foo from "foo" with { type: "json" }; + * import foo from "foo" assert { type: "json" }; + * ``` + */ + deprecated ObjectExpr getImportAssertion() { result = this.getImportAttributes() } + /** Gets the `i`th import specifier of this import declaration. */ ImportSpecifier getSpecifier(int i) { result = this.getChildExpr(i) } @@ -338,6 +350,21 @@ abstract class ExportDeclaration extends Stmt, @export_declaration { * ``` */ ObjectExpr getImportAttributes() { result = this.getChildExpr(-10) } + + /** + * DEPRECATED: use `getImportAttributes` instead. + * Gets the object literal passed as part of the `with` (or `assert`) clause, if this is + * a re-export declaration. + * + * For example, this gets the `{ type: "json" }` expression in each of the following: + * ```js + * export { x } from 'foo' with { type: "json" }; + * export * from 'foo' with { type: "json" }; + * export * as x from 'foo' with { type: "json" }; + * export * from 'foo' assert { type: "json" }; + * ``` + */ + deprecated ObjectExpr getImportAssertion() { result = this.getImportAttributes() } } /** diff --git a/javascript/ql/lib/semmle/javascript/Expr.qll b/javascript/ql/lib/semmle/javascript/Expr.qll index 4103321d580d..0049c5f5aca7 100644 --- a/javascript/ql/lib/semmle/javascript/Expr.qll +++ b/javascript/ql/lib/semmle/javascript/Expr.qll @@ -2830,6 +2830,17 @@ class DynamicImportExpr extends @dynamic_import, Expr, Import { */ Expr getImportOptions() { result = this.getChildExpr(1) } + /** + * DEPRECATED: use `getImportOptions` instead. + * Gets the second "argument" to the import expression, that is, the `Y` in `import(X, Y)`. + * + * For example, gets the `{ with: { type: "json" }}` expression in the following: + * ```js + * import('foo', { with: { type: "json" }}) + * ``` + */ + deprecated Expr getImportAttributes() { result = this.getImportOptions() } + override Module getEnclosingModule() { result = this.getTopLevel() } override DataFlow::Node getImportedModuleNode() { result = DataFlow::valueNode(this) } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll index c3bc6f451941..15d0fa151d7c 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll @@ -39,3 +39,19 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig { * Taint tracking flow for sensitive information in broken or weak cryptographic algorithms. */ module BrokenCryptoAlgorithmFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `BrokenCryptoAlgorithmFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "BrokenCryptoAlgorithm" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll index 607ed8224990..c044d7b0cbc0 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll @@ -38,3 +38,24 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig { * Taint tracking flow for storage of sensitive information in build artifact. */ module BuildArtifactLeakFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `BuildArtifactLeakFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "BuildArtifactLeak" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) { + source.(CleartextLogging::Source).getLabel() = lbl + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { + sink.(Sink).getLabel() = lbl + } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof CleartextLogging::Barrier } + + override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) { + CleartextLogging::isAdditionalTaintStep(src, trg) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll index 38ebc9eb53d5..5dca4cf1df28 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll @@ -15,12 +15,22 @@ module CleartextLogging { abstract class Source extends DataFlow::Node { /** Gets a string that describes the type of this data flow source. */ abstract string describe(); + + /** + * DEPRECATED. Overriding this predicate no longer has any effect. + */ + deprecated DataFlow::FlowLabel getLabel() { result.isTaint() } } /** * A data flow sink for clear-text logging of sensitive information. */ - abstract class Sink extends DataFlow::Node { } + abstract class Sink extends DataFlow::Node { + /** + * DEPRECATED. Overriding this predicate no longer has any effect. + */ + deprecated DataFlow::FlowLabel getLabel() { result.isTaint() } + } /** * A barrier for clear-text logging of sensitive information. @@ -188,6 +198,15 @@ module CleartextLogging { } } + /** + * DEPRECATED. Use `Barrier` instead, sanitized have been replaced by sanitized nodes. + * + * Holds if the edge `pred` -> `succ` should be sanitized for clear-text logging of sensitive information. + */ + deprecated predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) { + succ.(DataFlow::PropRead).getBase() = pred + } + /** * Holds if the edge `src` -> `trg` is an additional taint-step for clear-text logging of sensitive information. */ diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll index 131904006ce7..efed5ba46ab3 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll @@ -49,3 +49,24 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig { * Taint tracking flow for clear-text logging of sensitive information. */ module CleartextLoggingFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `CleartextLoggingFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "CleartextLogging" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) { + source.(Source).getLabel() = lbl + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { + sink.(Sink).getLabel() = lbl + } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier } + + override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) { + CleartextLogging::isAdditionalTaintStep(src, trg) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll index d285bb49d2a0..0fbd576959e4 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll @@ -30,3 +30,16 @@ module ClearTextStorageConfig implements DataFlow::ConfigSig { } module ClearTextStorageFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `ClearTextStorageFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ClearTextStorage" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll index da4f68dd7d31..155aaca59c1e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll @@ -45,3 +45,30 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig { * Taint tracking for client-side request forgery. */ module ClientSideRequestForgeryFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `ClientSideRequestForgeryFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ClientSideRequestForgery" } + + override predicate isSource(DataFlow::Node source) { + exists(Source src | + source = src and + not src.isServerSide() + ) + } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) } + + override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + isAdditionalRequestForgeryStep(pred, succ) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll index cf377f43d46a..526eaf1be361 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll @@ -62,3 +62,48 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig { * Taint-tracking flow for reasoning about unvalidated URL redirections. */ module ClientSideUrlRedirectFlow = TaintTracking::GlobalWithState; + +/** + * A taint-tracking configuration for reasoning about unvalidated URL redirections. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ClientSideUrlRedirect" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) { + source.(Source).getAFlowLabel() = lbl + } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isSanitizerOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) } + + override predicate isAdditionalFlowStep( + DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1, + DataFlow::FlowLabel state2 + ) { + ClientSideUrlRedirectConfig::isAdditionalFlowStep(node1, FlowState::fromFlowLabel(state1), + node2, FlowState::fromFlowLabel(state2)) + or + // Preserve document.url label in step from `location` to `location.href` or `location.toString()` + state1 instanceof DocumentUrl and + state2 instanceof DocumentUrl and + ( + node2.(DataFlow::PropRead).accesses(node1, "href") + or + exists(DataFlow::CallNode call | + call.getCalleeName() = "toString" and + node1 = call.getReceiver() and + node2 = call + ) + ) + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof HostnameSanitizerGuard + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll index 450c067f97ae..cc9b3f16a4fc 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll @@ -32,3 +32,23 @@ module CodeInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about code injection vulnerabilities. */ module CodeInjectionFlow = TaintTracking::Global; + +/** + * DEPRRECATED. Use the `CodeInjectionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "CodeInjection" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { + CodeInjectionConfig::isAdditionalFlowStep(node1, node2) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll index b7e08b412ed9..7c013e1f4ace 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll @@ -45,3 +45,16 @@ module CommandInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about command-injection vulnerabilities. */ module CommandInjectionFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `CommandInjectionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "CommandInjection" } + + override predicate isSource(DataFlow::Node source) { CommandInjectionConfig::isSource(source) } + + override predicate isSink(DataFlow::Node sink) { CommandInjectionConfig::isSink(sink) } + + override predicate isSanitizer(DataFlow::Node node) { CommandInjectionConfig::isBarrier(node) } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll index 59990d05e176..759a97291c35 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll @@ -35,6 +35,26 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig { */ module ConditionalBypassFlow = TaintTracking::Global; +/** + * DEPRECATED. Use the `ConditionalBypassFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ConditionalBypass" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) { + ConditionalBypassConfig::isAdditionalFlowStep(src, dst) + } +} + /** * Holds if the value of `nd` flows into `guard`. */ @@ -129,3 +149,61 @@ predicate isEarlyAbortGuardNode(ConditionalBypassFlow::PathNode e, SensitiveActi not action.asExpr().getEnclosingStmt().nestedIn(guard) ) } + +/** + * Holds if `sink` guards `action`, and `source` taints `sink`. + * + * If flow from `source` taints `sink`, then an attacker can + * control if `action` should be executed or not. + */ +deprecated predicate isTaintedGuardForSensitiveAction( + DataFlow::PathNode sink, DataFlow::PathNode source, SensitiveAction action +) { + action = sink.getNode().(Sink).getAction() and + // exclude the intermediary sink + not sink.getNode() instanceof SensitiveActionGuardComparisonOperand and + exists(Configuration cfg | + // ordinary taint tracking to a guard + cfg.hasFlowPath(source, sink) + or + // taint tracking to both operands of a guard comparison + exists( + SensitiveActionGuardComparison cmp, DataFlow::PathNode lSource, DataFlow::PathNode rSource, + DataFlow::PathNode lSink, DataFlow::PathNode rSink + | + sink.getNode() = cmp.getGuard() and + cfg.hasFlowPath(lSource, lSink) and + lSink.getNode() = DataFlow::valueNode(cmp.getLeftOperand()) and + cfg.hasFlowPath(rSource, rSink) and + rSink.getNode() = DataFlow::valueNode(cmp.getRightOperand()) + | + source = lSource or + source = rSource + ) + ) +} + +/** + * Holds if `e` effectively guards access to `action` by returning or throwing early. + * + * Example: `if (e) return; action(x)`. + */ +deprecated predicate isEarlyAbortGuard(DataFlow::PathNode e, SensitiveAction action) { + exists(IfStmt guard | + // `e` is in the condition of an if-statement ... + e.getNode().(Sink).asExpr().getParentExpr*() = guard.getCondition() and + // ... where the then-branch always throws or returns + exists(Stmt abort | + abort instanceof ThrowStmt or + abort instanceof ReturnStmt + | + abort.nestedIn(guard) and + abort.getBasicBlock().(ReachableBasicBlock).postDominates(guard.getThen().getBasicBlock()) + ) and + // ... and the else-branch does not exist + not exists(guard.getElse()) + | + // ... and `action` is outside the if-statement + not action.asExpr().getEnclosingStmt().nestedIn(guard) + ) +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll index c68c741bc837..b74c16eb031f 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll @@ -37,3 +37,23 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig { * Data flow for CORS misconfiguration for credentials transfer. */ module CorsMisconfigurationFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `CorsMisconfigurationFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "CorsMisconfigurationForCredentials" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll index 457d0c8112fa..ad03ad93b949 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll @@ -52,3 +52,33 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig { */ module DeepObjectResourceExhaustionFlow = TaintTracking::GlobalWithState; + +/** + * DEPRECATED. Use the `DeepObjectResourceExhaustionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "DeepObjectResourceExhaustion" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + source.(Source).getAFlowLabel() = label + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + sink instanceof Sink and label = TaintedObject::label() + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof TaintedObject::SanitizerGuard + } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl + ) { + TaintedObject::step(src, trg, inlbl, outlbl) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll index 73bd03d9b13d..b9f27c6a8c2e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll @@ -322,6 +322,13 @@ module DomBasedXss { private class HtmlSanitizerAsSanitizer extends Sanitizer instanceof HtmlSanitizerCall { } + /** + * DEPRECATED. Use `isOptionallySanitizedNode` instead. + * + * Holds if there exists two dataflow edges to `succ`, where one edges is sanitized, and the other edge starts with `pred`. + */ + deprecated predicate isOptionallySanitizedEdge = isOptionallySanitizedEdgeInternal/2; + bindingset[call] pragma[inline_late] private SsaVariable getSanitizedSsaVariable(HtmlSanitizerCall call) { diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll index 5e30a5dafa14..36d5b3ba0a6b 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll @@ -122,6 +122,40 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig { */ module DomBasedXssFlow = TaintTracking::GlobalWithState; +/** + * DEPRECATED. Use the `DomBasedXssFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "HtmlInjection" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + DomBasedXssConfig::isSource(source, FlowState::fromFlowLabel(label)) + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + DomBasedXssConfig::isSink(sink, FlowState::fromFlowLabel(label)) + } + + override predicate isSanitizer(DataFlow::Node node) { DomBasedXssConfig::isBarrier(node) } + + override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) { + DomBasedXssConfig::isBarrier(node, FlowState::fromFlowLabel(lbl)) + } + + override predicate isAdditionalFlowStep( + DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1, + DataFlow::FlowLabel state2 + ) { + DomBasedXssConfig::isAdditionalFlowStep(node1, FlowState::fromFlowLabel(state1), node2, + FlowState::fromFlowLabel(state2)) + or + // inherit all ordinary taint steps for the prefix label + state1 = prefixLabel() and + state2 = prefixLabel() and + TaintTracking::sharedTaintStep(node1, node2) + } +} + private class PrefixStringSanitizerActivated extends PrefixStringSanitizer { PrefixStringSanitizerActivated() { this = this } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll index a4b677d2946f..d7f4fe954f9c 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll @@ -163,3 +163,33 @@ module ExceptionXssConfig implements DataFlow::StateConfigSig { * Taint-tracking for reasoning about XSS with possible exceptional flow. */ module ExceptionXssFlow = TaintTracking::GlobalWithState; + +/** + * DEPRECATED. Use the `ExceptionXssFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ExceptionXss" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + source.(Source).getAFlowLabel() = label + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + sink instanceof XssShared::Sink and not label instanceof NotYetThrown + } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof XssShared::Sanitizer } + + override predicate isAdditionalFlowStep( + DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl + ) { + ExceptionXssConfig::isAdditionalFlowStep(pred, FlowState::fromFlowLabel(inlbl), succ, + FlowState::fromFlowLabel(outlbl)) + or + // All the usual taint-flow steps apply on data-flow before it has been thrown in an exception. + // Note: this step is not needed in StateConfigSig module since flow states inherit taint steps. + this.isAdditionalFlowStep(pred, succ) and + inlbl instanceof NotYetThrown and + outlbl instanceof NotYetThrown + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll index dcf79522104e..7972c379e874 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll @@ -43,6 +43,55 @@ module ExternalAPIUsedWithUntrustedDataConfig implements DataFlow::ConfigSig { module ExternalAPIUsedWithUntrustedDataFlow = TaintTracking::Global; +/** + * Flow label for objects from which a tainted value is reachable. + * + * Only used by the legacy data-flow configuration, as the new data flow configuration + * uses `allowImplicitRead` to achieve this instead. + */ +deprecated private class ObjectWrapperFlowLabel extends DataFlow::FlowLabel { + ObjectWrapperFlowLabel() { this = "object-wrapper" } +} + +/** + * DEPRECATED. Use the `ExternalAPIUsedWithUntrustedDataFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ExternalAPIUsedWithUntrustedData" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { + sink instanceof Sink and + (lbl.isTaint() or lbl instanceof ObjectWrapperFlowLabel) + } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isAdditionalFlowStep( + DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel predLbl, + DataFlow::FlowLabel succLbl + ) { + // Step into an object and switch to the 'object-wrapper' label. + exists(DataFlow::PropWrite write | + pred = write.getRhs() and + succ = write.getBase().getALocalSource() and + (predLbl.isTaint() or predLbl instanceof ObjectWrapperFlowLabel) and + succLbl instanceof ObjectWrapperFlowLabel + ) + } + + override predicate isSanitizerIn(DataFlow::Node node) { + // Block flow from the location to its properties, as the relevant properties (hash and search) are taint sources of their own. + // The location source is only used for propagating through API calls like `new URL(location)` and into external APIs where + // the whole location object escapes. + node = DOM::locationRef().getAPropertyRead() + } +} + /** A node representing data being passed to an external API. */ class ExternalApiDataNode extends DataFlow::Node instanceof Sink { } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll index 6767baf8bb7b..21efb2b77702 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll @@ -32,3 +32,27 @@ module FileAccessToHttpConfig implements DataFlow::ConfigSig { * Taint tracking for file data in outbound network requests. */ module FileAccessToHttpFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `FileAccessToHttpFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "FileAccessToHttp" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + // taint entire object on property write + exists(DataFlow::PropWrite pwr | + succ = pwr.getBase() and + pred = pwr.getRhs() + ) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll index 14e5d4f0ed55..d589b3a15595 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll @@ -77,3 +77,25 @@ module HardcodedCredentialsConfig implements DataFlow::ConfigSig { * Data flow for reasoning about hardcoded credentials. */ module HardcodedCredentials = DataFlow::Global; + +/** + * DEPRECATED. Use the `HardcodedCredentials` module instead. + */ +deprecated class Configuration extends DataFlow::Configuration { + Configuration() { this = "HardcodedCredentials" } + + override predicate isSource(DataFlow::Node source) { + HardcodedCredentialsConfig::isSource(source) + } + + override predicate isSink(DataFlow::Node sink) { HardcodedCredentialsConfig::isSink(sink) } + + override predicate isBarrier(DataFlow::Node node) { + super.isBarrier(node) or + HardcodedCredentialsConfig::isBarrier(node) + } + + override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) { + HardcodedCredentialsConfig::isAdditionalFlowStep(src, trg) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll index 3d79fdd75536..0d33ee11876f 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll @@ -43,3 +43,20 @@ module HardcodedDataInterpretedAsCodeConfig implements DataFlow::StateConfigSig */ module HardcodedDataInterpretedAsCodeFlow = DataFlow::GlobalWithState; + +/** + * DEPRECATED. Use the `HardcodedDataInterpretedAsCodeFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "HardcodedDataInterpretedAsCode" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) { + source.(Source).getLabel() = lbl + } + + override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) { + nd.(Sink).getLabel() = lbl + } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll index 07ecb1333b6f..4271ef3e9b68 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll @@ -25,3 +25,14 @@ module HostHeaderPoisoningConfig implements DataFlow::ConfigSig { * Taint tracking configuration host header poisoning. */ module HostHeaderPoisoningFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `HostHeaderPoisoningFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "TaintedHostHeader" } + + override predicate isSource(DataFlow::Node node) { HostHeaderPoisoningConfig::isSource(node) } + + override predicate isSink(DataFlow::Node node) { HostHeaderPoisoningConfig::isSink(node) } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll index 51992d4be471..0525367d1e22 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll @@ -25,3 +25,19 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig { * Taint tracking for writing user-controlled data to files. */ module HttpToFileAccessFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `HttpToFileAccessFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "HttpToFileAccess" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll index 1d65dc6d59e1..1601208ed38e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll @@ -27,3 +27,16 @@ module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about improper code sanitization vulnerabilities. */ module ImproperCodeSanitizationFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `ImproperCodeSanitizationFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ImproperCodeSanitization" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll index 697f04c6c5cf..578c15635bbb 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll @@ -51,3 +51,35 @@ module IncompleteHtmlAttributeSanitizationConfig implements DataFlow::StateConfi */ module IncompleteHtmlAttributeSanitizationFlow = TaintTracking::GlobalWithState; + +/** + * DEPRECATED. Use the `IncompleteHtmlAttributeSanitizationFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "IncompleteHtmlAttributeSanitization" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + label = Label::characterToLabel(source.(Source).getAnUnsanitizedCharacter()) + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + label = Label::characterToLabel(sink.(Sink).getADangerousCharacter()) + } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, + DataFlow::FlowLabel dstlabel + ) { + super.isAdditionalFlowStep(src, dst) and srclabel = dstlabel + } + + override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) { + lbl = Label::characterToLabel(node.(StringReplaceCall).getAReplacedString()) or + this.isSanitizer(node) + } + + override predicate isSanitizer(DataFlow::Node n) { + n instanceof Sanitizer or + super.isSanitizer(n) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll index bc993d7577ad..87d85911a1ba 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll @@ -41,3 +41,26 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about command-injection vulnerabilities. */ module IndirectCommandInjectionFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `IndirectCommandInjectionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "IndirectCommandInjection" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + /** + * Holds if `sink` is a data-flow sink for command-injection vulnerabilities, and + * the alert should be placed at the node `highlight`. + */ + predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) { + sink instanceof Sink and highlight = sink + or + isIndirectCommandArgument(sink, highlight) + } + + override predicate isSink(DataFlow::Node sink) { this.isSinkWithHighlight(sink, _) } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll index 156a0248c886..ffcfead78961 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll @@ -37,3 +37,23 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig { * Taint tracking for download of sensitive file through insecure connection. */ module InsecureDownloadFlow = DataFlow::GlobalWithState; + +/** + * DEPRECATED. Use the `InsecureDownload` module instead. + */ +deprecated class Configuration extends DataFlow::Configuration { + Configuration() { this = "InsecureDownload" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + InsecureDownloadConfig::isSource(source, FlowState::fromFlowLabel(label)) + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + InsecureDownloadConfig::isSink(sink, FlowState::fromFlowLabel(label)) + } + + override predicate isBarrier(DataFlow::Node node) { + super.isBarrier(node) or + InsecureDownloadConfig::isBarrier(node) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll index 6b3b33968b4e..1fa4cd272b3b 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll @@ -48,3 +48,28 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig { * Taint tracking for random values that are not cryptographically secure. */ module InsecureRandomnessFlow = DataFlow::Global; + +/** + * DEPRECATED. Use the `InsecureRandomnessFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "InsecureRandomness" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + // not making use of `super.isSanitizer`: those sanitizers are not for this kind of data + node instanceof Sanitizer + } + + override predicate isSanitizerOut(DataFlow::Node node) { + // stop propagation at the sinks to avoid double reporting + this.isSink(node) + } + + override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + InsecureRandomness::isAdditionalTaintStep(pred, succ) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll index 7127700b87bf..ee2f1bb96d15 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll @@ -27,3 +27,19 @@ module InsecureTemporaryFileConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about insecure temporary file creation. */ module InsecureTemporaryFileFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `InsecureTemporaryFileFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "InsecureTemporaryFile" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll index fc9dd3ad9a24..c29592569880 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll @@ -33,3 +33,19 @@ module InsufficientPasswordHashConfig implements DataFlow::ConfigSig { * Taint tracking for password hashing with insufficient computational effort. */ module InsufficientPasswordHashFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `InsufficientPasswordHashFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "InsufficientPasswordHash" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll index 9659b90f4359..9f2060709059 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll @@ -37,6 +37,19 @@ module LogInjectionConfig implements DataFlow::ConfigSig { */ module LogInjectionFlow = TaintTracking::Global; +/** + * DEPRECATED. Use the `LogInjectionFlow` module instead. + */ +deprecated class LogInjectionConfiguration extends TaintTracking::Configuration { + LogInjectionConfiguration() { this = "LogInjection" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } +} + /** * A source of remote user controlled input. */ diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll index 52e0e1a46da1..522df62eca56 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll @@ -46,3 +46,31 @@ module LoopBoundInjectionConfig implements DataFlow::StateConfigSig { * Taint tracking configuration for reasoning about looping on tainted objects with unbounded length. */ module LoopBoundInjectionFlow = TaintTracking::GlobalWithState; + +/** + * DEPRECATED. Use the `LoopBoundInjectionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "LoopBoundInjection" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + source instanceof Source and label = TaintedObject::label() + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + sink instanceof Sink and label = TaintedObject::label() + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof TaintedObject::SanitizerGuard or + guard instanceof IsArraySanitizerGuard or + guard instanceof InstanceofArraySanitizerGuard or + guard instanceof LengthCheckSanitizerGuard + } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl + ) { + TaintedObject::step(src, trg, inlbl, outlbl) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll index f7e2c5a442ab..e7d93aabb977 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll @@ -59,3 +59,37 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig { * Taint-tracking for reasoning about SQL-injection vulnerabilities. */ module NosqlInjectionFlow = DataFlow::GlobalWithState; + +/** + * DEPRECATED. Use the `NosqlInjectionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "NosqlInjection" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + TaintedObject::isSource(source, label) + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + sink.(Sink).getAFlowLabel() = label + } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof TaintedObject::SanitizerGuard + } + + override predicate isAdditionalFlowStep( + DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1, + DataFlow::FlowLabel state2 + ) { + NosqlInjectionConfig::isAdditionalFlowStep(node1, FlowState::fromFlowLabel(state1), node2, + FlowState::fromFlowLabel(state2)) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll index aa8c7fcf0fa3..188f2d20fd7f 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll @@ -11,6 +11,10 @@ import javascript import PostMessageStarCustomizations::PostMessageStar // Materialize flow labels +deprecated private class ConcretePartiallyTaintedObject extends PartiallyTaintedObject { + ConcretePartiallyTaintedObject() { this = this } +} + /** * A taint tracking configuration for cross-window communication with unrestricted origin. * @@ -41,3 +45,44 @@ module PostMessageStarConfig implements DataFlow::ConfigSig { * A taint tracking configuration for cross-window communication with unrestricted origin. */ module PostMessageStarFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `PostMessageStarFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "PostMessageStar" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { + sink instanceof Sink and lbl = anyLabel() + } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl + ) { + // writing a tainted value to an object property makes the object partially tainted + exists(DataFlow::PropWrite write | + write.getRhs() = src and + inlbl = anyLabel() and + trg.(DataFlow::SourceNode).flowsTo(write.getBase()) and + outlbl instanceof PartiallyTaintedObject + ) + or + // `toString` or `JSON.toString` on a partially tainted object gives a tainted value + exists(DataFlow::InvokeNode toString | toString = trg | + toString.(DataFlow::MethodCallNode).calls(src, "toString") + or + src = toString.(JsonStringifyCall).getInput() + ) and + inlbl instanceof PartiallyTaintedObject and + outlbl.isTaint() + or + // `valueOf` preserves partial taint + trg.(DataFlow::MethodCallNode).calls(src, "valueOf") and + inlbl instanceof PartiallyTaintedObject and + outlbl = inlbl + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll index 076ebf6e9de0..96eed4cadc2b 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll @@ -140,6 +140,78 @@ predicate isIgnoredLibraryFlow(ExternalInputSource source, Sink sink) { ) } +/** + * DEPRECATED. Use the `PrototypePollutingAssignmentFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "PrototypePollutingAssignment" } + + override predicate isSource(DataFlow::Node node) { node instanceof Source } + + override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel lbl) { + node.(Sink).getAFlowLabel() = lbl + } + + override predicate isSanitizer(DataFlow::Node node) { + PrototypePollutingAssignmentConfig::isBarrier(node) + } + + override predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowLabel lbl) { + // Suppress the value-preserving step src -> dst in `extend(dst, src)`. This is modeled as a value-preserving + // step because it preserves all properties, but the destination is not actually Object.prototype. + node = any(ExtendCall call).getASourceOperand() and + lbl instanceof ObjectPrototype + } + + override predicate isAdditionalFlowStep( + DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl + ) { + PrototypePollutingAssignmentConfig::isAdditionalFlowStep(pred, FlowState::fromFlowLabel(inlbl), + succ, FlowState::fromFlowLabel(outlbl)) + } + + override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { + super.hasFlowPath(source, sink) and + // require that there is a path without unmatched return steps + DataFlow::hasPathWithoutUnmatchedReturn(source, sink) and + // filter away paths that start with library inputs and end with a write to a fixed property. + not exists(ExternalInputSource src, Sink snk, DataFlow::PropWrite write | + source.getNode() = src and sink.getNode() = snk + | + snk = write.getBase() and + ( + // fixed property name + exists(write.getPropertyName()) + or + // non-string property name (likely number) + exists(Expr prop | prop = write.getPropertyNameExpr() | + not prop.analyze().getAType() = TTString() + ) + ) + ) + } + + override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) { + super.isLabeledBarrier(node, lbl) + or + // Don't propagate into the receiver, as the method lookups will generally fail on Object.prototype. + node instanceof DataFlow::ThisNode and + lbl instanceof ObjectPrototype + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof PropertyPresenceCheck or + guard instanceof InExprCheck or + guard instanceof InstanceofCheck or + guard instanceof IsArrayCheck or + guard instanceof TypeofCheck or + guard instanceof NumberGuard or + guard instanceof EqualityCheck or + guard instanceof IncludesCheck or + guard instanceof DenyListInclusionGuard + } +} + /** Gets a data flow node referring to an object created with `Object.create`. */ DataFlow::SourceNode prototypeLessObject() { result = prototypeLessObject(DataFlow::TypeTracker::end()) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll index 44cddc00f74a..86fbb1273d97 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll @@ -13,6 +13,13 @@ import semmle.javascript.dependencies.SemVer import PrototypePollutionCustomizations::PrototypePollution // Materialize flow labels +/** + * We no longer use this flow label, since it does not work in a world where flow states inherit taint steps. + */ +deprecated private class ConcreteTaintedObjectWrapper extends TaintedObjectWrapper { + ConcreteTaintedObjectWrapper() { this = this } +} + /** * A taint tracking configuration for user-controlled objects flowing into deep `extend` calls, * leading to prototype pollution. @@ -58,3 +65,36 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig { * leading to prototype pollution. */ module PrototypePollutionFlow = TaintTracking::GlobalWithState; + +/** + * DEPRECATED. Use the `PrototypePollutionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "PrototypePollution" } + + override predicate isSource(DataFlow::Node node, DataFlow::FlowLabel label) { + node.(Source).getAFlowLabel() = label + } + + override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel label) { + node.(Sink).getAFlowLabel() = label + } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl + ) { + TaintedObject::step(src, dst, inlbl, outlbl) + or + // Track objects are wrapped in other objects + exists(DataFlow::PropWrite write | + src = write.getRhs() and + inlbl = TaintedObject::label() and + dst = write.getBase().getALocalSource() and + outlbl = TaintedObjectWrapper::label() + ) + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) { + node instanceof TaintedObject::SanitizerGuard + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll index 3317d3c69fda..55688d4b5ff9 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll @@ -27,6 +27,27 @@ module ReflectedXssConfig implements DataFlow::ConfigSig { */ module ReflectedXssFlow = TaintTracking::Global; +/** + * DEPRECATED. Use the `ReflectedXssFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ReflectedXss" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof QuoteGuard or + guard instanceof ContainsHtmlGuard + } +} + private class QuoteGuard extends SharedXss::QuoteGuard { QuoteGuard() { this = this } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll index 08d0b2caf6a7..606b0df62517 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll @@ -27,3 +27,19 @@ module RegExpInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for untrusted user input used to construct regular expressions. */ module RegExpInjectionFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `RegExpInjectionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "RegExpInjection" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll index d8f1e4622177..8f1f174d8ecf 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll @@ -31,3 +31,20 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about remote property injection. */ module RemotePropertyInjectionFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `RemotePropertyInjectionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "RemotePropertyInjection" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer or + node = StringConcatenation::getRoot(any(ConstantString str).flow()) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll index 23f8f4bdd137..2628fadedbf0 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll @@ -40,3 +40,28 @@ module RequestForgeryConfig implements DataFlow::ConfigSig { * Taint tracking for server-side request forgery. */ module RequestForgeryFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `RequestForgeryFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "RequestForgery" } + + override predicate isSource(DataFlow::Node source) { RequestForgeryConfig::isSource(source) } + + override predicate isSink(DataFlow::Node sink) { RequestForgeryConfig::isSink(sink) } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) + or + node instanceof Sanitizer + } + + override predicate isSanitizerOut(DataFlow::Node node) { + RequestForgeryConfig::isBarrierOut(node) + } + + override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + RequestForgeryConfig::isAdditionalFlowStep(pred, succ) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll index dcedce3049ae..cfad24432289 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll @@ -36,6 +36,31 @@ module ResourceExhaustionConfig implements DataFlow::ConfigSig { */ module ResourceExhaustionFlow = TaintTracking::Global; +/** + * DEPRECATED. Use the `ResourceExhaustionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ResourceExhaustion" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer or + node = any(DataFlow::PropRead read | read.getPropertyName() = "length") + } + + override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) { + isNumericFlowStep(src, dst) + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof UpperBoundsCheckSanitizerGuard + } +} + /** Holds if data is converted to a number from `src` to `dst`. */ predicate isNumericFlowStep(DataFlow::Node src, DataFlow::Node dst) { exists(DataFlow::CallNode c | diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll index 41ae0563d9d8..0c5af5abd37c 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll @@ -56,3 +56,32 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig { */ module SecondOrderCommandInjectionFlow = DataFlow::GlobalWithState; + +/** + * DEPRECATED. Use the `SecondOrderCommandInjectionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "SecondOrderCommandInjection" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + source.(Source).getALabel() = label + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + sink.(Sink).getALabel() = label + } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof PrefixStringSanitizer or + guard instanceof DoubleDashSanitizer or + guard instanceof TaintedObject::SanitizerGuard + } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl + ) { + TaintedObject::step(src, trg, inlbl, outlbl) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll index 7ba27a362f86..e889480b48b7 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll @@ -39,6 +39,35 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig { */ module ServerSideUrlRedirectFlow = TaintTracking::Global; +/** + * DEPRECATED. Use the `ServerSideUrlRedirectFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ServerSideUrlRedirect" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isSanitizerOut(DataFlow::Node node) { + ServerSideUrlRedirectConfig::isBarrierOut(node) + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof LocalUrlSanitizingGuard or + guard instanceof HostnameSanitizerGuard + } + + override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + ServerSideUrlRedirectConfig::isAdditionalFlowStep(pred, succ) + } +} + /** * A call to a function called `isLocalUrl` or similar, which is * considered to sanitize a variable for purposes of URL redirection. diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll index e74aa829340a..1d396da5b20d 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll @@ -43,3 +43,23 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig */ module ShellCommandInjectionFromEnvironmentFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `ShellCommandInjectionFromEnvironmentFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ShellCommandInjectionFromEnvironment" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + /** Holds if `sink` is a command-injection sink with `highlight` as the corresponding alert location. */ + predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) { + sink instanceof Sink and highlight = sink + or + isIndirectCommandArgument(sink, highlight) + } + + override predicate isSink(DataFlow::Node sink) { this.isSinkWithHighlight(sink, _) } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll index 85ae77d9d37b..69dabac14680 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll @@ -39,3 +39,23 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about string based query injection vulnerabilities. */ module SqlInjectionFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `SqlInjectionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "SqlInjection" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + SqlInjectionConfig::isAdditionalFlowStep(pred, succ) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll index 0295124f44c1..254df5aabe6e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll @@ -36,3 +36,20 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about stack trace exposure problems. */ module StackTraceExposureFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `StackTraceExposureFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "StackTraceExposure" } + + override predicate isSource(DataFlow::Node src) { src instanceof Source } + + override predicate isSanitizer(DataFlow::Node nd) { + super.isSanitizer(nd) + or + StackTraceExposureConfig::isBarrier(nd) + } + + override predicate isSink(DataFlow::Node snk) { snk instanceof Sink } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll index fa25fa1e58b8..48e186bd71e3 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll @@ -27,6 +27,27 @@ module StoredXssConfig implements DataFlow::ConfigSig { */ module StoredXssFlow = TaintTracking::Global; +/** + * DEPRECATED. Use the `StoredXssFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "StoredXss" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof QuoteGuard or + guard instanceof ContainsHtmlGuard + } +} + private class QuoteGuard extends Shared::QuoteGuard { QuoteGuard() { this = this } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll index 8ecdde85e768..55338477cb49 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll @@ -27,3 +27,19 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig { * Taint-tracking for format injections. */ module TaintedFormatStringFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `TaintedFormatStringFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "TaintedFormatString" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll index e7961fdfa10b..dc23b895a4f6 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll @@ -69,6 +69,8 @@ module TaintedPath { } } + deprecated class BarrierGuardNode = BarrierGuard; + private newtype TFlowState = TPosixPath(FlowState::Normalization normalization, FlowState::Relativeness relativeness) or TSplitPath() diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll index 6c601f294bf5..8b50a69cedce 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll @@ -55,3 +55,34 @@ module TaintedPathConfig implements DataFlow::StateConfigSig { * Taint-tracking for reasoning about tainted-path vulnerabilities. */ module TaintedPathFlow = DataFlow::GlobalWithState; + +/** + * DEPRECATED. Use the `TaintedPathFlow` module instead. + */ +deprecated class Configuration extends DataFlow::Configuration { + Configuration() { this = "TaintedPath" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + label = source.(Source).getAFlowLabel() + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + label = sink.(Sink).getAFlowLabel() + } + + override predicate isBarrier(DataFlow::Node node) { + super.isBarrier(node) or + node instanceof Sanitizer + } + + override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) { + guard instanceof BarrierGuardNode + } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, + DataFlow::FlowLabel dstlabel + ) { + isAdditionalTaintedPathFlowStep(src, dst, srclabel, dstlabel) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll index 659f7a952820..348e59937b5e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll @@ -53,3 +53,30 @@ module TemplateObjectInjectionConfig implements DataFlow::StateConfigSig { * Taint tracking for reasoning about template object injection vulnerabilities. */ module TemplateObjectInjectionFlow = DataFlow::GlobalWithState; + +/** + * DEPRECATED. Use the `TemplateObjectInjectionFlow` module instead. + */ +deprecated class TemplateObjInjectionConfig extends TaintTracking::Configuration { + TemplateObjInjectionConfig() { this = "TemplateObjInjectionConfig" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + source.(Source).getAFlowLabel() = label + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + sink instanceof Sink and label = TaintedObject::label() + } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof TaintedObject::SanitizerGuard + } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl + ) { + TaintedObject::step(src, trg, inlbl, outlbl) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll index 28a86e7f69fe..03e8c5c48ebb 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll @@ -59,3 +59,25 @@ private class IsArrayBarrier extends BarrierGuard, DataFlow::CallNode { outcome = [true, false] // separation between string/array removes type confusion in both branches } } + +/** + * DEPRECATED. Use the `TypeConfusionFlow` module instead. + */ +deprecated class Configuration extends DataFlow::Configuration { + Configuration() { this = "TypeConfusionThroughParameterTampering" } + + override predicate isSource(DataFlow::Node source) { TypeConfusionConfig::isSource(source) } + + override predicate isSink(DataFlow::Node sink) { TypeConfusionConfig::isSink(sink) } + + override predicate isBarrier(DataFlow::Node node) { + super.isBarrier(node) + or + node instanceof Barrier + } + + override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) { + guard instanceof TypeOfTestBarrier or + guard instanceof IsArrayBarrier + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll index 92d7d6caf76b..e29d5d87a70f 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll @@ -46,4 +46,33 @@ module UnsafeCodeConstruction { * Taint-tracking for reasoning about unsafe code constructed from library input. */ module UnsafeCodeConstructionFlow = TaintTracking::Global; + + /** + * DEPRECATED. Use the `UnsafeCodeConstructionFlow` module instead. + */ + deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "UnsafeCodeConstruction" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof CodeInjection::Sanitizer + } + + override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) { + // HTML sanitizers are insufficient protection against code injection + src = trg.(HtmlSanitizerCall).getInput() + or + DataFlow::localFieldStep(src, trg) + } + + // override to require that there is a path without unmatched return steps + override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { + super.hasFlowPath(source, sink) and + DataFlow::hasPathWithoutUnmatchedReturn(source, sink) + } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll index 75af7cd4d86d..b0621c6ac48e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll @@ -26,3 +26,19 @@ module UnsafeDeserializationConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about unsafe deserialization. */ module UnsafeDeserializationFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `UnsafeDeserializationFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "UnsafeDeserialization" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll index dc468762c936..423b50f17f70 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll @@ -83,3 +83,39 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig { * Taint-tracking for reasoning about unsafe dynamic method access. */ module UnsafeDynamicMethodAccessFlow = DataFlow::GlobalWithState; + +/** + * DEPRECATED. Use the `UnsafeDynamicMethodAccessFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "UnsafeDynamicMethodAccess" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + UnsafeDynamicMethodAccessConfig::isSource(source, FlowState::fromFlowLabel(label)) + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + UnsafeDynamicMethodAccessConfig::isSink(sink, FlowState::fromFlowLabel(label)) + } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) + or + UnsafeDynamicMethodAccessConfig::isBarrier(node) + } + + /** + * Holds if a property of the given object is an unsafe function. + */ + predicate hasUnsafeMethods(DataFlow::SourceNode node) { + PropertyInjection::hasUnsafeMethods(node) // Redefined here so custom queries can override it + } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, + DataFlow::FlowLabel dstlabel + ) { + UnsafeDynamicMethodAccessConfig::additionalFlowStep(src, FlowState::fromFlowLabel(srclabel), + dst, FlowState::fromFlowLabel(dstlabel)) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll index 3c962c3814e2..913329813c1b 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll @@ -9,6 +9,9 @@ private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizati import UnsafeHtmlConstructionCustomizations::UnsafeHtmlConstruction import semmle.javascript.security.TaintedObject +/** DEPRECATED: Mis-spelled class name, alias for Configuration. */ +deprecated class Configration = Configuration; + /** * A taint-tracking configuration for reasoning about unsafe HTML constructed from library input vulnerabilities. */ diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll index 245d75b35334..75eeaf20cfaa 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll @@ -51,6 +51,47 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig { */ module UnsafeJQueryPluginFlow = TaintTracking::Global; +/** + * DEPRECATED. Use the `UnsafeJQueryPluginFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "UnsafeJQueryPlugin" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) + or + node instanceof DomBasedXss::Sanitizer + or + node instanceof Sanitizer + } + + override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) { + // jQuery plugins tend to be implemented as classes that store data in fields initialized by the constructor. + DataFlow::localFieldStep(src, sink) or + aliasPropertyPresenceStep(src, sink) + } + + override predicate isSanitizerOut(DataFlow::Node node) { + // prefixing prevents forced html/css confusion: + // prefixing through concatenation: + StringConcatenation::taintStep(node, _, _, any(int i | i >= 1)) + or + // prefixing through a poor-mans templating system: + node = any(StringReplaceCall call).getRawReplacement() + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) { + super.isSanitizerGuard(node) or + node instanceof IsElementSanitizer or + node instanceof PropertyPresenceSanitizer or + node instanceof NumberGuard + } +} + /** * Holds if there is a taint-step from `src` to `sink`, * where `src` is a property read that acts as a sanitizer for the base, diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll index 2b1a340b8e62..e006c2a2f498 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll @@ -42,3 +42,33 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig { */ module UnsafeShellCommandConstructionFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `UnsafeShellCommandConstructionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "UnsafeShellCommandConstruction" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof PathExistsSanitizerGuard or + guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer or + guard instanceof NumberGuard or + guard instanceof TypeOfSanitizer + } + + // override to require that there is a path without unmatched return steps + override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { + super.hasFlowPath(source, sink) and + DataFlow::hasPathWithoutUnmatchedReturn(source, sink) + } + + override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + DataFlow::localFieldStep(pred, succ) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll index 4a0b1865ece0..e516167a30b4 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll @@ -92,6 +92,18 @@ module UnvalidatedDynamicMethodCall { /** DEPRECATED. Use `getAFlowState()` instead. */ deprecated DataFlow::FlowLabel getFlowLabel() { result = this.getAFlowState().toFlowLabel() } + + /** + * DEPRECATED. Use sanitizer nodes instead. + * + * This predicate no longer has any effect. The `this` value of `Sanitizer` is instead + * treated as a sanitizing node, that is, flow in and out of that node is prohibited. + */ + deprecated predicate sanitizes( + DataFlow::Node source, DataFlow::Node sink, DataFlow::FlowLabel lbl + ) { + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll index 8cf5279fe42f..7b6a6124edaf 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll @@ -100,3 +100,37 @@ module UnvalidatedDynamicMethodCallConfig implements DataFlow::StateConfigSig { */ module UnvalidatedDynamicMethodCallFlow = DataFlow::GlobalWithState; + +/** + * DEPRECATED. Use the `UnvalidatedDynamicMethodCallFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "UnvalidatedDynamicMethodCall" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + source.(Source).getFlowLabel() = label + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + sink.(Sink).getFlowLabel() = label + } + + override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel label) { + super.isLabeledBarrier(node, label) + or + node.(Sanitizer).getFlowLabel() = label + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof NumberGuard or + guard instanceof FunctionCheck + } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, + DataFlow::FlowLabel dstlabel + ) { + UnvalidatedDynamicMethodCallConfig::isAdditionalFlowStep(src, + FlowState::fromFlowLabel(srclabel), dst, FlowState::fromFlowLabel(dstlabel)) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll index ae469c3e5755..99f5874cf578 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll @@ -27,3 +27,19 @@ module XmlBombConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about XML-bomb vulnerabilities. */ module XmlBombFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `XmlBombFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "XmlBomb" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll index 991d7b3f6fc3..fcae5a0eb767 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll @@ -28,3 +28,19 @@ module XpathInjectionConfig implements DataFlow::ConfigSig { * Taint-tracking for untrusted user input used in XPath expression. */ module XpathInjectionFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `XpathInjectionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "XpathInjection" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll index a803362ad11d..a9292bbdd4d8 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll @@ -46,6 +46,46 @@ predicate isIgnoredSourceSinkPair(Source source, DomBasedXss::Sink sink) { sink instanceof DomBasedXss::WriteUrlSink } +/** + * DEPRECATED. Use the `XssThroughDomFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "XssThroughDOM" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof DomBasedXss::Sanitizer or + DomBasedXss::isOptionallySanitizedNode(node) + } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { + guard instanceof TypeTestGuard or + guard instanceof UnsafeJQuery::PropertyPresenceSanitizer or + guard instanceof UnsafeJQuery::NumberGuard or + guard instanceof PrefixStringSanitizer or + guard instanceof QuoteGuard or + guard instanceof ContainsHtmlGuard + } + + override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + succ = DataFlow::globalVarRef("URL").getAMemberCall("createObjectURL") and + pred = succ.(DataFlow::InvokeNode).getArgument(0) + } + + override predicate hasFlowPath(DataFlow::SourcePathNode src, DataFlow::SinkPathNode sink) { + super.hasFlowPath(src, sink) and + // filtering away readings of `src` that end in a URL sink. + not ( + sink.getNode() instanceof DomBasedXss::WriteUrlSink and + src.getNode().(DomPropertySource).getPropertyName() = "src" + ) + } +} + /** A test for the value of `typeof x`, restricting the potential types of `x`. */ class TypeTestGuard extends BarrierGuard, DataFlow::ValueNode { override EqualityTest astNode; diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll index 191e263fa520..616768030a36 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll @@ -27,3 +27,19 @@ module XxeConfig implements DataFlow::ConfigSig { * Taint-tracking for reasoning about XXE vulnerabilities. */ module XxeFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `XxeFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "Xxe" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll index 7c6a34563b8c..b59a78462b8c 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll @@ -50,3 +50,33 @@ module ZipSlipConfig implements DataFlow::StateConfigSig { /** A taint tracking configuration for unsafe archive extraction. */ module ZipSlipFlow = DataFlow::GlobalWithState; + +/** A taint tracking configuration for unsafe archive extraction. */ +deprecated class Configuration extends DataFlow::Configuration { + Configuration() { this = "ZipSlip" } + + override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + label = source.(Source).getAFlowLabel() + } + + override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + label = sink.(Sink).getAFlowLabel() + } + + override predicate isBarrier(DataFlow::Node node) { + super.isBarrier(node) or + node instanceof TaintedPath::Sanitizer + } + + override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) { + guard instanceof TaintedPath::BarrierGuardNode + } + + override predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, + DataFlow::FlowLabel dstlabel + ) { + ZipSlipConfig::isAdditionalFlowStep(src, TaintedPath::FlowState::fromFlowLabel(srclabel), dst, + TaintedPath::FlowState::fromFlowLabel(dstlabel)) + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll index 2fc23b4b234b..d1baf9c45230 100644 --- a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll @@ -39,3 +39,34 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig { /** Taint-tracking for reasoning about polynomial regular expression denial-of-service attacks. */ module PolynomialReDoSFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `PolynomialReDoSFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "PolynomialReDoS" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) { + super.isSanitizerGuard(node) or + node instanceof LengthGuard + } + + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer + } + + override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { + super.hasFlowPath(source, sink) and + // require that there is a path without unmatched return steps + DataFlow::hasPathWithoutUnmatchedReturn(source, sink) + } + + override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + DataFlow::localFieldStep(pred, succ) + } +} diff --git a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll index 3b474f6d0a0c..380f594c21e3 100644 --- a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll +++ b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll @@ -34,6 +34,13 @@ module SsrfConfig implements DataFlow::ConfigSig { module SsrfFlow = TaintTracking::Global; +/** + * DEPRECATED. Use the `SsrfFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { + Configuration() { this = "SSRF" } +} + /** * A sanitizer for ternary operators. * diff --git a/javascript/ql/test/library-tests/frameworks/Templating/XssDiff.ql b/javascript/ql/test/library-tests/frameworks/Templating/XssDiff.ql index 53de286bcdd0..66f34f2e4226 100644 --- a/javascript/ql/test/library-tests/frameworks/Templating/XssDiff.ql +++ b/javascript/ql/test/library-tests/frameworks/Templating/XssDiff.ql @@ -2,4 +2,7 @@ import javascript import semmle.javascript.security.dataflow.DomBasedXssQuery deprecated import utils.test.LegacyDataFlowDiff +deprecated query predicate legacyDataFlowDifference = + DataFlowDiff::legacyDataFlowDifference/3; + query predicate flow = DomBasedXssFlow::flow/2; From e1b14cb0be01c042a1b48ea8c1926cb2820fc1a3 Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Mon, 27 Jan 2025 19:56:52 +0100 Subject: [PATCH 5/9] ruby: delete now dead Ruby method --- ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll | 3 --- 1 file changed, 3 deletions(-) diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll index 50f6986f77aa..deaa0a6427a0 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll @@ -103,9 +103,6 @@ class ActiveRecordModelClass extends ClassDeclaration { cls = activeRecordBaseClass().getADescendentModule() and this = cls.getADeclaration() } - // Gets the class declaration for this class and all of its super classes - private ModuleBase getAllClassDeclarations() { result = cls.getAnAncestor().getADeclaration() } - /** Gets the class as a `DataFlow::ClassNode`. */ DataFlow::ClassNode getClassNode() { result = cls } } From 90b403b40b94d193f919091c01031fc47ca1676f Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Mon, 27 Jan 2025 22:16:24 +0100 Subject: [PATCH 6/9] py: delete the remainder of the deprecated TypeTracker libary --- .../python/dataflow/new/TypeTracker.qll | 10 ----- .../dataflow/new/internal/TypeTracker.qll | 9 ---- .../new/internal/TypeTrackerSpecific.qll | 42 ------------------- 3 files changed, 61 deletions(-) delete mode 100644 python/ql/lib/semmle/python/dataflow/new/TypeTracker.qll delete mode 100644 python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll delete mode 100644 python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll diff --git a/python/ql/lib/semmle/python/dataflow/new/TypeTracker.qll b/python/ql/lib/semmle/python/dataflow/new/TypeTracker.qll deleted file mode 100644 index ed025ab4eb11..000000000000 --- a/python/ql/lib/semmle/python/dataflow/new/TypeTracker.qll +++ /dev/null @@ -1,10 +0,0 @@ -/** - * DEPRECATED: Use `semmle.python.dataflow.new.TypeTracking` instead. - * - * This file acts as a wrapper for `internal.TypeTracker`, exposing some of the functionality with - * names that are more appropriate for Python. - */ - -private import python -private import internal.TypeTracker as Internal -private import internal.TypeTrackerSpecific as InternalSpecific diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll deleted file mode 100644 index 3201cb9a3853..000000000000 --- a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll +++ /dev/null @@ -1,9 +0,0 @@ -/** Step Summaries and Type Tracking */ - -private import TypeTrackerSpecific -private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic - -cached -private module Cached { } - -private import Cached diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll deleted file mode 100644 index f1b04c779708..000000000000 --- a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Provides Python-specific definitions for use in the type tracker library. - */ - -private import python -private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic -private import TypeTrackingImpl as TypeTrackingImpl - -deprecated predicate simpleLocalFlowStep = - TypeTrackingImpl::TypeTrackingInput::simpleLocalSmallStep/2; - -deprecated predicate jumpStep = TypeTrackingImpl::TypeTrackingInput::jumpStep/2; - -/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which does not depend on the call graph. */ -deprecated predicate levelStepNoCall = TypeTrackingImpl::TypeTrackingInput::levelStepNoCall/2; - -/** - * Holds if `nodeFrom` steps to `nodeTo` by being passed as a parameter in a call. - * - * Flow into summarized library methods is not included, as that will lead to negative - * recursion (or, at best, terrible performance), since identifying calls to library - * methods is done using API graphs (which uses type tracking). - */ -deprecated predicate callStep = TypeTrackingImpl::TypeTrackingInput::callStep/2; - -/** Holds if `nodeFrom` steps to `nodeTo` by being returned from a call. */ -deprecated predicate returnStep = TypeTrackingImpl::TypeTrackingInput::returnStep/2; - -/** - * Holds if `nodeFrom` is being written to the `content` content of the object in `nodeTo`. - */ -deprecated predicate basicStoreStep = TypeTrackingImpl::TypeTrackingInput::storeStep/3; - -/** - * Holds if `nodeTo` is the result of accessing the `content` content of `nodeFrom`. - */ -deprecated predicate basicLoadStep = TypeTrackingImpl::TypeTrackingInput::loadStep/3; - -/** - * Holds if the `loadContent` of `nodeFrom` is stored in the `storeContent` of `nodeTo`. - */ -deprecated predicate basicLoadStoreStep = TypeTrackingImpl::TypeTrackingInput::loadStoreStep/4; From d46a2d4e802878a766dd96f992ea5e353f7d80ef Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Mon, 27 Jan 2025 22:38:07 +0100 Subject: [PATCH 7/9] ruby: delete the remainders of the old deprecated typetracking library --- .../ql/lib/codeql/ruby/typetracking/TypeTracker.qll | 13 ------------- .../ruby/typetracking/TypeTrackerSpecific.qll | 4 ---- 2 files changed, 17 deletions(-) delete mode 100644 ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll delete mode 100644 ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll deleted file mode 100644 index c56f7c48468f..000000000000 --- a/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll +++ /dev/null @@ -1,13 +0,0 @@ -/** - * DEPRECATED: Use `codeql.ruby.typetracking.TypeTracking` instead. - * - * Step Summaries and Type Tracking - */ - -private import TypeTrackerSpecific -private import codeql.util.Boolean - -cached -private module Cached { } - -private import Cached diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll deleted file mode 100644 index c92180d134ed..000000000000 --- a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll +++ /dev/null @@ -1,4 +0,0 @@ -private import codeql.ruby.dataflow.internal.DataFlowPublic as DataFlowPublic -private import codeql.ruby.dataflow.internal.DataFlowPrivate as DataFlowPrivate -private import internal.TypeTrackingImpl as TypeTrackingImpl -deprecated import codeql.util.Boolean From a1afa20d4b2aa6dd4c94742517a9f78c6510610d Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Mon, 27 Jan 2025 22:43:13 +0100 Subject: [PATCH 8/9] add change-notes --- .../2025-01-27-outdated-deprecations.md | 4 ++++ .../2025-01-27-outdated-deprecations.md | 5 +++++ .../2025-01-27-outdated-deprecations.md | 4 ++++ .../2025-01-27-outdated-deprecations.md | 11 +++++++++++ .../2025-01-27-outdated-deprecations.md | 6 ++++++ .../2025-01-27-outdated-deprecations.md | 17 +++++++++++++++++ .../2025-01-27-outdated-deprecations.md | 5 +++++ .../2025-01-27-outdated-deprecations.md | 4 ++++ .../2025-01-27-outdated-deprecations.md | 5 +++++ 9 files changed, 61 insertions(+) create mode 100644 cpp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md create mode 100644 csharp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md create mode 100644 go/ql/lib/change-notes/2025-01-27-outdated-deprecations.md create mode 100644 java/ql/lib/change-notes/2025-01-27-outdated-deprecations.md create mode 100644 python/ql/lib/change-notes/2025-01-27-outdated-deprecations.md create mode 100644 ruby/ql/lib/change-notes/2025-01-27-outdated-deprecations.md create mode 100644 shared/dataflow/change-notes/2025-01-27-outdated-deprecations.md create mode 100644 shared/typetracking/change-notes/2025-01-27-outdated-deprecations.md create mode 100644 swift/ql/lib/change-notes/2025-01-27-outdated-deprecations.md diff --git a/cpp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md b/cpp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md new file mode 100644 index 000000000000..20b2c973cc3c --- /dev/null +++ b/cpp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md @@ -0,0 +1,4 @@ +--- +category: breaking +--- +* Deleted the deprecated `getAllocatorCall` predicate from `DeleteOrDeleteArrayExpr`, use `getDeallocatorCall` instead. \ No newline at end of file diff --git a/csharp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md b/csharp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md new file mode 100644 index 000000000000..4935e88a9871 --- /dev/null +++ b/csharp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md @@ -0,0 +1,5 @@ +--- +category: breaking +--- +* Deleted the deprecated `getInstanceType` predicate from the `UnboundGenericType` class. +* Deleted the deprecated `getElement` predicate from the `Node` class in `ControlFlowGraph.qll`, use `getAstNode` instead. \ No newline at end of file diff --git a/go/ql/lib/change-notes/2025-01-27-outdated-deprecations.md b/go/ql/lib/change-notes/2025-01-27-outdated-deprecations.md new file mode 100644 index 000000000000..8a00e5083466 --- /dev/null +++ b/go/ql/lib/change-notes/2025-01-27-outdated-deprecations.md @@ -0,0 +1,4 @@ +--- +category: breaking +--- +* Deleted the deprecated `describeBitSize` predicate from `IncorrectIntegerConversionLib.qll` \ No newline at end of file diff --git a/java/ql/lib/change-notes/2025-01-27-outdated-deprecations.md b/java/ql/lib/change-notes/2025-01-27-outdated-deprecations.md new file mode 100644 index 000000000000..4a9ef73b8e27 --- /dev/null +++ b/java/ql/lib/change-notes/2025-01-27-outdated-deprecations.md @@ -0,0 +1,11 @@ +--- +category: breaking +--- +* Deleted the deprecated `isLValue` and `isRValue` predicates from the `VarAccess` class, use `isVarWrite` and `isVarRead` respectively instead. +* Deleted the deprecated `getRhs` predicate from the `VarWrite` class, use `getASource` instead. +* Deleted the deprecated `LValue` and `RValue` classes, use `VarWrite` and `VarRead` respectively instead. +* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. +* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. +* Deleted the deprecated `EnvInput` and `DatabaseInput` classes from `FlowSources.qll`, use the threat models feature instead. +* Deleted some deprecated API predicates from `SensitiveApi.qll`, use the Sink classes from that file instead. + diff --git a/python/ql/lib/change-notes/2025-01-27-outdated-deprecations.md b/python/ql/lib/change-notes/2025-01-27-outdated-deprecations.md new file mode 100644 index 000000000000..dd7c5e70e863 --- /dev/null +++ b/python/ql/lib/change-notes/2025-01-27-outdated-deprecations.md @@ -0,0 +1,6 @@ +--- +category: breaking +--- +* Deleted the old deprecated TypeTracking library. +* Deleted the deprecated `classRef` predicate from the `FieldStorage` module, use `subclassRef` instead. +* Deleted a lot of deprecated modules and predicates from `Stdlib.qll`, use API-graphs directly instead. diff --git a/ruby/ql/lib/change-notes/2025-01-27-outdated-deprecations.md b/ruby/ql/lib/change-notes/2025-01-27-outdated-deprecations.md new file mode 100644 index 000000000000..8c4fef82d934 --- /dev/null +++ b/ruby/ql/lib/change-notes/2025-01-27-outdated-deprecations.md @@ -0,0 +1,17 @@ +--- +category: breaking +--- +* Deleted the deprecated `getCallNode` predicate from `API::Node`, use `asCall()` instead. +* Deleted the deprecated `getASubclass`, `getAnImmediateSubclass`, `getASuccessor`, `getAPredecessor`, `getASuccessor`, `getDepth`, and `getPath` predicates from `API::Node`. +* Deleted the deprecated `Root`, `Use`, and `Def` classes from `ApiGraphs.qll`. +* Deleted the deprecated `Label` module from `ApiGraphs.qll`. +* Deleted the deprecated `getAUse`, `getAnImmediateUse`, `getARhs`, and `getAValueReachingRhs` predicates from `API::Node`, use `getAValueReachableFromSource`, `asSource`, `asSink`, and `getAValueReachingSink` instead. +* Deleted the deprecated `getAVariable` predicate from the `ExprNode` class, use `getVariable` instead. +* Deleted the deprecated `getAPotentialFieldAccessMethod` predicate from the `ActiveRecordModelClass` class. +* Deleted the deprecated `ActiveRecordModelClassMethodCall` class from `ActiveRecord.qll`, use `ActiveRecordModelClass.getClassNode().trackModule().getMethod()` instead. +* Deleted the deprecated `PotentiallyUnsafeSqlExecutingMethodCall` class from `ActiveRecord.qll`, use the `SqlExecution` concept instead. +* Deleted the deprecated `ModelClass` and `ModelInstance` classes from `ActiveResource.qll`, use `ModelClassNode` and `ModelClassNode.getAnInstanceReference()` instead. +* Deleted the deprecated `Collection` class from `ActiveResource.qll`, use `CollectionSource` instead. +* Deleted the deprecated `ServiceInstantiation` and `ClientInstantiation` classes from `Twirp.qll`. +* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. +* Deleted the old deprecated TypeTracking library. diff --git a/shared/dataflow/change-notes/2025-01-27-outdated-deprecations.md b/shared/dataflow/change-notes/2025-01-27-outdated-deprecations.md new file mode 100644 index 000000000000..762527f1b737 --- /dev/null +++ b/shared/dataflow/change-notes/2025-01-27-outdated-deprecations.md @@ -0,0 +1,5 @@ +--- +category: breaking +--- +* Deleted the deprecated `Make` and `MakeWithState` modules, use `Global` and `GlobalWithState` instead. +* Deleted the deprecated `hasFlow`, `hasFlowPath`, `hasFlowTo`, and `hasFlowToExpr` predicates, use `flow`, `flowPath`, `flowTo`, and `flowToExpr` respectively instead. \ No newline at end of file diff --git a/shared/typetracking/change-notes/2025-01-27-outdated-deprecations.md b/shared/typetracking/change-notes/2025-01-27-outdated-deprecations.md new file mode 100644 index 000000000000..c04779d478fa --- /dev/null +++ b/shared/typetracking/change-notes/2025-01-27-outdated-deprecations.md @@ -0,0 +1,4 @@ +--- +category: breaking +--- +* Deleted the deprecated `ConsistencyChecks` module. \ No newline at end of file diff --git a/swift/ql/lib/change-notes/2025-01-27-outdated-deprecations.md b/swift/ql/lib/change-notes/2025-01-27-outdated-deprecations.md new file mode 100644 index 000000000000..d9fb3caedf90 --- /dev/null +++ b/swift/ql/lib/change-notes/2025-01-27-outdated-deprecations.md @@ -0,0 +1,5 @@ +--- +category: breaking +--- +* Deleted the deprecated `ArrayContent` class from the dataflow library, use `CollectionContent` instead. +* Deleted the deprecated `getOptionsInput`, `getRegexInput`, and `getStringInput` predicates from the regexp library, use `getAnOptionsInput`, `getRegexInputNode`, and `getStringInputNode` instead. \ No newline at end of file From c7fc164680546c0e5ba1b73cc88d034268515c3e Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Tue, 28 Jan 2025 09:13:59 +0100 Subject: [PATCH 9/9] java: remove the `2` from `SafeTransformerFactoryFlow`, not that the previous naming conflict has been deleted --- java/ql/lib/semmle/code/java/security/XmlParsers.qll | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/XmlParsers.qll b/java/ql/lib/semmle/code/java/security/XmlParsers.qll index d470997e1be1..5ca1dd95f99e 100644 --- a/java/ql/lib/semmle/code/java/security/XmlParsers.qll +++ b/java/ql/lib/semmle/code/java/security/XmlParsers.qll @@ -784,7 +784,7 @@ class TransformerFactorySource extends XmlParserCall { override Expr getSink() { result = this.getArgument(0) } override predicate isSafe() { - SafeTransformerFactoryFlow2::flowsTo(DataFlow::exprNode(this.getQualifier())) + SafeTransformerFactoryFlow::flowsTo(DataFlow::exprNode(this.getQualifier())) } } @@ -803,7 +803,7 @@ private predicate safeTransformerFactoryNode(DataFlow::Node src) { src.asExpr() instanceof SafeTransformerFactory } -private module SafeTransformerFactoryFlow2 = DataFlow::SimpleGlobal; +private module SafeTransformerFactoryFlow = DataFlow::SimpleGlobal; /** A safely configured `TransformerFactory`. */ class SafeTransformerFactory extends VarAccess { @@ -826,7 +826,7 @@ class SafeTransformer extends MethodCall { this.getMethod() = m and m.getDeclaringType() instanceof TransformerFactory and m.hasName("newTransformer") and - SafeTransformerFactoryFlow2::flowsTo(DataFlow::exprNode(this.getQualifier())) + SafeTransformerFactoryFlow::flowsTo(DataFlow::exprNode(this.getQualifier())) ) } } @@ -849,7 +849,7 @@ class SaxTransformerFactoryNewXmlFilter extends XmlParserCall { override Expr getSink() { result = this.getArgument(0) } override predicate isSafe() { - SafeTransformerFactoryFlow2::flowsTo(DataFlow::exprNode(this.getQualifier())) + SafeTransformerFactoryFlow::flowsTo(DataFlow::exprNode(this.getQualifier())) } }