Merge pull request #15062 from aschackmull/dataflow/deprecate-flowstatestring

Dataflow: Deprecate FlowStateString.

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll

@@ -63,13 +63,18 @@ deprecated class Configuration extends TaintTracking::Configuration {
   }
 }
 
+abstract private class NormalizationState extends string {
+  bindingset[this]
+  NormalizationState() { any() }
+}
+
 /** A state signifying that the file path has not been normalized. */
-class NotNormalized extends DataFlow::FlowState {
+class NotNormalized extends NormalizationState {
   NotNormalized() { this = "NotNormalized" }
 }
 
 /** A state signifying that the file path has been normalized, but not checked. */
-class NormalizedUnchecked extends DataFlow::FlowState {
+class NormalizedUnchecked extends NormalizationState {
   NormalizedUnchecked() { this = "NormalizedUnchecked" }
 }
 
@@ -85,7 +90,7 @@ class NormalizedUnchecked extends DataFlow::FlowState {
  * Such checks are ineffective in the `NotNormalized` state.
  */
 module PathInjectionConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowState;
+  class FlowState = NormalizationState;
 
   predicate isSource(DataFlow::Node source, FlowState state) {
     source instanceof Source and state instanceof NotNormalized

python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidationQuery.qll

@@ -12,13 +12,18 @@ import semmle.python.dataflow.new.internal.TaintTrackingPrivate
 import semmle.python.dataflow.new.RemoteFlowSources
 import UnicodeBypassValidationCustomizations::UnicodeBypassValidation
 
+abstract private class ValidationState extends string {
+  bindingset[this]
+  ValidationState() { any() }
+}
+
 /** A state signifying that a logical validation has not been performed. */
-class PreValidation extends DataFlow::FlowState {
+class PreValidation extends ValidationState {
   PreValidation() { this = "PreValidation" }
 }
 
 /** A state signifying that a logical validation has been performed. */
-class PostValidation extends DataFlow::FlowState {
+class PostValidation extends ValidationState {
   PostValidation() { this = "PostValidation" }
 }
 
@@ -29,7 +34,7 @@ class PostValidation extends DataFlow::FlowState {
  * to track the requirement that a logical validation has been performed before the Unicode Transformation.
  */
 private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowState;
+  class FlowState = ValidationState;
 
   predicate isSource(DataFlow::Node source, FlowState state) {
     source instanceof RemoteFlowSource and state instanceof PreValidation