add deprecated aliases in the old locations, and use the Query.qll pattern for js/polynomial-redos

2026-04-29 18:55:14 +02:00 · 2022-05-25 17:45:13 +02:00
parent 2e4c2df67e
commit 3bea7df45d
22 changed files with 120 additions and 43 deletions
--- a/javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll
@@ -0,0 +1,4 @@
+/** DEPRECATED. Import `semmle.javascript.security.regexp.ExponentialBackTracking` instead. */
+
+deprecated import semmle.javascript.security.regexp.ExponentialBackTracking as Dep
+import Dep
--- a/javascript/ql/lib/semmle/javascript/security/performance/PolynomialReDoS.qll
+++ b/javascript/ql/lib/semmle/javascript/security/performance/PolynomialReDoS.qll
@@ -0,0 +1,7 @@
+/** DEPRECATED. Import `PolynomialReDoSQuery` instead. */
+
+import javascript
+private import semmle.javascript.security.regexp.PolynomialReDoSQuery as PolynomialReDoSQuery // ignore-query-import
+
+/** DEPRECATED. Import `PolynomialReDoSQuery` instead. */
+deprecated module PolynomialReDoS = PolynomialReDoSQuery;
--- a/javascript/ql/lib/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll
@@ -0,0 +1,4 @@
+/** DEPRECATED. Import `semmle.javascript.security.regexp.PolynomialReDoSCustomizations` instead. */
+
+deprecated import semmle.javascript.security.regexp.PolynomialReDoSCustomizations as Dep
+import Dep
--- a/javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll
+++ b/javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll
@@ -0,0 +1,4 @@
+/** DEPRECATED. Import `semmle.javascript.security.regexp.NfaUtils` instead. */
+
+deprecated import semmle.javascript.security.regexp.NfaUtils as Dep
+import Dep
--- a/javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll
@@ -0,0 +1,4 @@
+/** DEPRECATED. Import `semmle.javascript.security.regexp.SuperlinearBackTracking` instead. */
+
+deprecated import semmle.javascript.security.regexp.SuperlinearBackTracking as Dep
+import Dep
--- a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoS.qll
+++ b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoS.qll
@@ -1,42 +0,0 @@
-/**
- * Provides a taint tracking configuration for reasoning about
- * polynomial regular expression denial-of-service attacks.
- *
- * Note, for performance reasons: only import this file if
- * `PolynomialReDoS::Configuration` is needed, otherwise
- * `PolynomialReDoSCustomizations` should be imported instead.
- */
-
-import javascript
-
-module PolynomialReDoS {
-  import PolynomialReDoSCustomizations::PolynomialReDoS
-
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "PolynomialReDoS" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
-      super.isSanitizerGuard(node) or
-      node instanceof LengthGuard
-    }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node) or
-      node instanceof Sanitizer
-    }
-
-    override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
-      super.hasFlowPath(source, sink) and
-      // require that there is a path without unmatched return steps
-      DataFlow::hasPathWithoutUnmatchedReturn(source, sink)
-    }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-      DataFlow::localFieldStep(pred, succ)
-    }
-  }
-}
--- a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll
@@ -0,0 +1,40 @@
+/**
+ * Provides a taint tracking configuration for reasoning about
+ * polynomial regular expression denial-of-service attacks.
+ *
+ * Note, for performance reasons: only import this file if
+ * `PolynomialReDoS::Configuration` is needed, otherwise
+ * `PolynomialReDoSCustomizations` should be imported instead.
+ */
+
+import javascript
+import PolynomialReDoSCustomizations::PolynomialReDoS
+
+/** A taint-tracking configuration for reasoning about polynomial regular expression denial-of-service attacks. */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "PolynomialReDoS" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
+    super.isSanitizerGuard(node) or
+    node instanceof LengthGuard
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node) or
+    node instanceof Sanitizer
+  }
+
+  override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
+    super.hasFlowPath(source, sink) and
+    // require that there is a path without unmatched return steps
+    DataFlow::hasPathWithoutUnmatchedReturn(source, sink)
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    DataFlow::localFieldStep(pred, succ)
+  }
+}
--- a/javascript/ql/src/Performance/PolynomialReDoS.ql
+++ b/javascript/ql/src/Performance/PolynomialReDoS.ql
@@ -14,7 +14,7 @@
 */

 import javascript
-import semmle.javascript.security.regexp.PolynomialReDoS::PolynomialReDoS
+import semmle.javascript.security.regexp.PolynomialReDoSQuery
 import semmle.javascript.security.regexp.SuperlinearBackTracking
 import DataFlow::PathGraph