Delete the queries the Java team isn't currently interested in boosting

2026-05-21 22:57:11 +02:00 · 2023-01-03 11:17:22 -08:00
parent 3c44332f17
commit 39a4513fcc
3 changed files with 0 additions and 240 deletions
--- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll
+++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll
@@ -1,95 +0,0 @@
-/**
- * For internal use only.
- *
- * A taint-tracking configuration for reasoning about NoSQL injection vulnerabilities.
- * Defines shared code used by the NoSQL injection boosted query.
- */
-
-import java
-import semmle.code.java.dataflow.TaintTracking
-private import semmle.javascript.heuristics.SyntacticHeuristics
-private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
-import AdaptiveThreatModeling
-
-class NosqlInjectionAtmConfig extends AtmConfig {
-  NosqlInjectionAtmConfig() { this = "NosqlInjectionAtmConfig" }
-
-  override predicate isKnownSource(DataFlow::Node source) {
-    source instanceof NosqlInjection::Source or TaintedObject::isSource(source, _)
-  }
-
-  override EndpointType getASinkEndpointType() { result instanceof NosqlInjectionSinkType }
-
-  /*
-   * This is largely a copy of the taint tracking configuration for the standard NoSQL injection
-   * query, except additional ATM sinks have been added and the additional flow step has been
-   * generalised to cover the sinks predicted by ATM.
-   */
-
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    TaintedObject::isSource(source, label)
-  }
-
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink.(NosqlInjection::Sink).getAFlowLabel() = label
-    or
-    // Allow effective sinks to have any taint label
-    isEffectiveSink(sink)
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof NosqlInjection::Sanitizer
-  }
-
-  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-    guard instanceof TaintedObject::SanitizerGuard
-  }
-
-  override predicate isAdditionalFlowStep(
-    DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
-  ) {
-    // additional flow steps from the base (non-boosted) security query
-    isBaseAdditionalFlowStep(src, trg, inlbl, outlbl)
-    or
-    // relaxed version of previous step to track taint through unmodeled NoSQL query objects
-    isEffectiveSink(trg) and
-    src = getASubexpressionWithinQuery(trg)
-  }
-
-  /** Holds if src -> trg is an additional flow step in the non-boosted NoSql injection security query. */
-  private predicate isBaseAdditionalFlowStep(
-    DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
-  ) {
-    TaintedObject::step(src, trg, inlbl, outlbl)
-    or
-    // additional flow step to track taint through NoSQL query objects
-    inlbl = TaintedObject::label() and
-    outlbl = TaintedObject::label() and
-    exists(NoSql::Query query, DataFlow::SourceNode queryObj |
-      queryObj.flowsTo(query) and
-      queryObj.flowsTo(trg) and
-      src = queryObj.getAPropertyWrite().getRhs()
-    )
-  }
-
-  /**
-   * Gets a value that is (transitively) written to `query`, where `query` is a NoSQL sink.
-   *
-   * This predicate allows us to propagate data flow through property writes and array constructors
-   * within a query object, enabling the security query to pick up NoSQL injection vulnerabilities
-   * involving more complex queries.
-   */
-  private DataFlow::Node getASubexpressionWithinQuery(DataFlow::Node query) {
-    isEffectiveSink(query) and
-    exists(DataFlow::SourceNode receiver |
-      receiver = [getASubexpressionWithinQuery(query), query].getALocalSource()
-    |
-      result =
-        [
-          receiver.getAPropertyWrite().getRhs(),
-          receiver.(DataFlow::ArrayCreationNode).getAnElement()
-        ]
-    )
-  }
-}
--- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll
+++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll
@@ -1,57 +0,0 @@
-/**
- * For internal use only.
- *
- * A taint-tracking configuration for reasoning about XSS vulnerabilities.
- * Defines shared code used by the XSS boosted query.
- */
-
-private import semmle.javascript.heuristics.SyntacticHeuristics
-private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
-import AdaptiveThreatModeling
-
-class DomBasedXssAtmConfig extends AtmConfig {
-  DomBasedXssAtmConfig() { this = "DomBasedXssAtmConfig" }
-
-  override predicate isKnownSource(DataFlow::Node source) { source instanceof DomBasedXss::Source }
-
-  override EndpointType getASinkEndpointType() { result instanceof XssSinkType }
-
-  /*
-   * This is largely a copy of the taint tracking configuration for the standard XSSThroughDom query,
-   * except additional ATM sinks have been added to the `isSink` predicate.
-   */
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof DomBasedXss::Sanitizer
-  }
-
-  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-    guard instanceof PrefixStringSanitizerActivated or
-    guard instanceof QuoteGuard or
-    guard instanceof ContainsHtmlGuard
-  }
-
-  override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
-    DomBasedXss::isOptionallySanitizedEdge(pred, succ)
-  }
-}
-
-private import semmle.javascript.security.dataflow.Xss::Shared as Shared
-
-private class PrefixStringSanitizerActivated extends TaintTracking::SanitizerGuardNode,
-  DomBasedXss::PrefixStringSanitizer {
-  PrefixStringSanitizerActivated() { this = this }
-}
-
-private class PrefixStringActivated extends DataFlow::FlowLabel, DomBasedXss::PrefixString {
-  PrefixStringActivated() { this = this }
-}
-
-private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
-  QuoteGuard() { this = this }
-}
-
-private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
-  ContainsHtmlGuard() { this = this }
-}
--- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll
+++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll
@@ -1,88 +0,0 @@
-/**
- * For internal use only.
- *
- * A taint-tracking configuration for reasoning about XSS through the DOM.
- * Defines shared code used by the XSS Through DOM boosted query.
- */
-
-private import semmle.javascript.heuristics.SyntacticHeuristics
-private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
-private import semmle.javascript.dataflow.InferredTypes
-private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom
-private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQuery
-import AdaptiveThreatModeling
-
-class XssThroughDomAtmConfig extends AtmConfig {
-  XssThroughDomAtmConfig() { this = "XssThroughDomAtmConfig" }
-
-  override predicate isKnownSource(DataFlow::Node source) {
-    source instanceof XssThroughDom::Source
-  }
-
-  override EndpointType getASinkEndpointType() { result instanceof XssSinkType }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof DomBasedXss::Sanitizer
-  }
-
-  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-    guard instanceof TypeTestGuard or
-    guard instanceof UnsafeJQuery::PropertyPresenceSanitizer or
-    guard instanceof UnsafeJQuery::NumberGuard or
-    guard instanceof PrefixStringSanitizer or
-    guard instanceof QuoteGuard or
-    guard instanceof ContainsHtmlGuard
-  }
-
-  override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
-    DomBasedXss::isOptionallySanitizedEdge(pred, succ)
-  }
-}
-
-/**
- * A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
- *
- * This sanitizer helps prune infeasible paths in type-overloaded functions.
- */
-class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
-  override EqualityTest astNode;
-  Expr operand;
-  boolean polarity;
-
-  TypeTestGuard() {
-    exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
-      // typeof x === "string" sanitizes `x` when it evaluates to false
-      tag = "string" and
-      polarity = astNode.getPolarity().booleanNot()
-      or
-      // typeof x === "object" sanitizes `x` when it evaluates to true
-      tag != "string" and
-      polarity = astNode.getPolarity()
-    )
-  }
-
-  override predicate sanitizes(boolean outcome, Expr e) {
-    polarity = outcome and
-    e = operand
-  }
-}
-
-private import semmle.javascript.security.dataflow.Xss::Shared as Shared
-
-private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,
-  DomBasedXss::PrefixStringSanitizer {
-  PrefixStringSanitizer() { this = this }
-}
-
-private class PrefixString extends DataFlow::FlowLabel, DomBasedXss::PrefixString {
-  PrefixString() { this = this }
-}
-
-private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
-  QuoteGuard() { this = this }
-}
-
-private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
-  ContainsHtmlGuard() { this = this }
-}