diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll index 87fd5003afb..ed47b6df8c9 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll @@ -30,7 +30,7 @@ deprecated class IntentRedirectionConfiguration extends TaintTracking::Configura /** A taint tracking configuration for tainted Intents being used to start Android components. */ module IntentRedirectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink } @@ -57,7 +57,7 @@ private class OriginalIntentSanitizer extends IntentRedirectionSanitizer { * flowing directly to sinks that start Android components. */ private module SameIntentBeingRelaunchedConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink } @@ -93,7 +93,7 @@ private class IntentWithTaintedComponent extends DataFlow::Node { * A taint tracking configuration for tainted data flowing to an `Intent`'s component. */ private module TaintedIntentComponentConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { any(IntentSetComponent setComponent).getSink() = sink.asExpr() diff --git a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll index 09a74b2e536..d91910b546c 100644 --- a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll +++ b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll @@ -74,7 +74,7 @@ class ExternalApkSource extends DataFlow::Node { sourceNode(this, "android-external-storage-dir") or this.asExpr().(MethodAccess).getMethod() instanceof UriConstructorMethod or this.asExpr().(StringLiteral).getValue().matches("file://%") or - this instanceof RemoteFlowSource + this instanceof ThreatModelFlowSource } } diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll index f2be743e11b..5003ceb8a3a 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll @@ -6,7 +6,7 @@ private import semmle.code.java.security.ArithmeticCommon /** A taint-tracking configuration to reason about overflow from unvalidated user input. */ module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) } @@ -17,7 +17,7 @@ module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig { /** A taint-tracking configuration to reason about underflow from unvalidated user input. */ module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index 30772d9fdf1..cc0ed2a8810 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -52,7 +52,7 @@ private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer * A taint-tracking configuration for unvalidated user input that is used to run an external process. */ module RemoteUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll index a45afda4105..705e9527944 100644 --- a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll @@ -57,7 +57,7 @@ deprecated class ConditionalBypassFlowConfig extends TaintTracking::Configuratio * A taint tracking configuration for untrusted data flowing to sensitive conditions. */ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) } diff --git a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll index beef024eb15..f0127176cd9 100644 --- a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll +++ b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll @@ -106,10 +106,10 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu } /** - * Taint tracking configuration for flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. + * Taint tracking configuration for flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. */ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } } diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll index 25d4e2b4fa5..a71ebc964f6 100644 --- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll @@ -8,7 +8,7 @@ private import semmle.code.java.StringFormat * A taint-tracking configuration for externally controlled format string vulnerabilities. */ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(StringFormat formatCall).getFormatArgument() diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll index 6164a6663a0..97ad1d7a564 100644 --- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll @@ -28,7 +28,7 @@ deprecated class FragmentInjectionTaintConf extends TaintTracking::Configuration * that is used to create Android fragments dynamically. */ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll index 1d3c55398a5..aecd634b541 100644 --- a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll @@ -28,7 +28,7 @@ deprecated class GroovyInjectionConfig extends TaintTracking::Configuration { * that is used to evaluate a Groovy expression. */ module GroovyInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll index 23e7443fc43..8bef1ec3650 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll @@ -5,10 +5,11 @@ private import semmle.code.java.security.internal.ArraySizing private import semmle.code.java.dataflow.FlowSources /** - * A taint-tracking configuration to reason about improper validation of user-provided size used for array construction. + * A taint-tracking configuration to reason about improper validation of + * user-provided size used for array construction. */ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _) @@ -16,7 +17,8 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi } /** - * Taint-tracking flow for improper validation of user-provided size used for array construction. + * Taint-tracking flow for improper validation of user-provided size used + * for array construction. */ module ImproperValidationOfArrayConstructionFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll index fd93b73b7c3..440600b8a7c 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll @@ -5,10 +5,11 @@ private import semmle.code.java.security.internal.ArraySizing private import semmle.code.java.dataflow.FlowSources /** - * A taint-tracking configuration to reason about improper validation of user-provided array index. + * A taint-tracking configuration to reason about improper validation + * of user-provided array index. */ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr()) diff --git a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll index 3d7c7f2fa94..4e2b85d56c2 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll @@ -46,7 +46,7 @@ class SetMessageInterpolatorCall extends MethodAccess { * to the argument of a method that builds constraint error messages. */ module BeanValidationConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink } } diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll index f563b4bf093..ada91f4f8c2 100644 --- a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll @@ -39,7 +39,7 @@ deprecated class IntentUriPermissionManipulationConf extends TaintTracking::Conf * A taint tracking configuration for user-provided Intents being returned to third party apps. */ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof IntentUriPermissionManipulationSink } diff --git a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll index dd877720495..8f08eee44a4 100644 --- a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll @@ -63,7 +63,7 @@ deprecated class JexlInjectionConfig extends TaintTracking::Configuration { * It supports both JEXL 2 and 3. */ module JexlInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink } diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index d189c119080..cf1520b3dd5 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -33,7 +33,7 @@ deprecated class JndiInjectionFlowConfig extends TaintTracking::Configuration { * A taint-tracking configuration for unvalidated user input that is used in JNDI lookup. */ module JndiInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll index c0f52cdf659..5c055c00516 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll @@ -8,7 +8,7 @@ import semmle.code.java.security.LdapInjection * A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries. */ module LdapInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof LdapInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll index 5b57847d286..f66ae7f5808 100644 --- a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll @@ -27,7 +27,7 @@ deprecated class LogInjectionConfiguration extends TaintTracking::Configuration * A taint-tracking configuration for tracking untrusted user input used in log entries. */ module LogInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof LogInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll index a87d7554dd7..c2697861d7c 100644 --- a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll @@ -32,7 +32,7 @@ deprecated class MvelInjectionFlowConfig extends TaintTracking::Configuration { * that is used to construct and evaluate a MVEL expression. */ module MvelInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof MvelEvaluationSink } diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index d3098a18a11..58a93319350 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -85,7 +85,7 @@ private predicate smallExpr(Expr e) { * numeric cast. */ module NumericCastFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index d0dfdda94a4..19995e2a25b 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -29,7 +29,7 @@ deprecated class OgnlInjectionFlowConfig extends TaintTracking::Configuration { * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation. */ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll index 1fd25df25aa..b00a8388550 100644 --- a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll @@ -29,7 +29,7 @@ deprecated class PartialPathTraversalFromRemoteConfig extends TaintTracking::Con * and remains vulnerable to Partial Path Traversal. */ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node node) { any(PartialPathTraversalMethodAccess ma).getQualifier() = node.asExpr() diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll index 6a79193c4fd..bfaac0d9919 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll @@ -37,7 +37,7 @@ deprecated class RequestForgeryConfiguration extends TaintTracking::Configuratio */ module RequestForgeryConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof RemoteFlowSource and + source instanceof ThreatModelFlowSource and // Exclude results of remote HTTP requests: fetching something else based on that result // is no worse than following a redirect returned by the remote server, and typically // we're requesting a resource via https which we trust to only send us to safe URLs. diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index 5ac4953422a..5cc7422e787 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -9,7 +9,7 @@ import semmle.code.java.security.ResponseSplitting */ module ResponseSplittingConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof RemoteFlowSource and + source instanceof ThreatModelFlowSource and not source instanceof SafeHeaderSplittingSource } diff --git a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll index ca3b385239b..0f3526bfd7f 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll @@ -18,7 +18,7 @@ private class ResultReceiverSendCall extends MethodAccess { } private module UntrustedResultReceiverConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node node) { node.asExpr() = any(ResultReceiverSendCall c).getReceiver() diff --git a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll index e54515f4827..b1a17e0fdd6 100644 --- a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll @@ -29,7 +29,7 @@ deprecated class SpelInjectionConfig extends TaintTracking::Configuration { * that is used to construct and evaluate a SpEL expression. */ module SpelInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof SpelExpressionEvaluationSink } diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index a90a23c2165..23166bc17c3 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -52,7 +52,7 @@ private class TaintPreservingUriCtorParam extends Parameter { * A taint-tracking configuration for tracking flow from remote sources to the creation of a path. */ module TaintedPathConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") } diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll index bd568355886..b3e9bb86aaa 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll @@ -62,7 +62,7 @@ abstract class TemplateInjectionSanitizerWithState extends DataFlow::Node { abstract predicate hasState(DataFlow::FlowState state); } -private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof RemoteFlowSource +private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof ThreatModelFlowSource { } private class DefaultTemplateInjectionSink extends TemplateInjectionSink { diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index a89f24e6f1f..69ea9f4bcae 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -12,7 +12,8 @@ private import semmle.code.java.frameworks.owasp.Esapi */ abstract class TrustBoundaryViolationSource extends DataFlow::Node { } -private class RemoteSource extends TrustBoundaryViolationSource instanceof RemoteFlowSource { } +private class ThreatModelSource extends TrustBoundaryViolationSource instanceof ThreatModelFlowSource +{ } /** * A sink for data that crosses a trust boundary. diff --git a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll index 267bfd6bf39..bf25cd3117e 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll @@ -27,7 +27,7 @@ deprecated class FetchUntrustedResourceConfiguration extends TaintTracking::Conf * A taint configuration tracking flow from untrusted inputs to a resource fetching call. */ module FetchUntrustedResourceConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll index 424edace82a..a43864f8b53 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll @@ -30,7 +30,7 @@ deprecated class UnsafeContentResolutionConf extends TaintTracking::Configuratio * A taint-tracking configuration to find paths from remote sources to content URI resolutions. */ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index 550b778d8db..e3b69ed0cc1 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -324,7 +324,7 @@ deprecated class UnsafeDeserializationConfig extends TaintTracking::Configuratio /** Tracks flows from remote user input to a deserialization sink. */ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink } @@ -448,7 +448,7 @@ deprecated class UnsafeTypeConfig extends TaintTracking2::Configuration { * If this is user-controlled, arbitrary code could be executed while instantiating the user-specified type. */ module UnsafeTypeConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeTypeSink } diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll index 552435d8af7..cdae7839366 100644 --- a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll @@ -8,7 +8,7 @@ private import semmle.code.java.security.UrlRedirect * A taint-tracking configuration for reasoning about URL redirections. */ module UrlRedirectConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink } } diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll index 7615784896d..38dc1ff993c 100644 --- a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll @@ -9,7 +9,7 @@ private import semmle.code.java.security.XPath * A taint-tracking configuration for reasoning about XPath injection vulnerabilities. */ module XPathInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink } } diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index 5622ef60a84..d852a4a9095 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -31,7 +31,7 @@ deprecated class XsltInjectionFlowConfig extends TaintTracking::Configuration { * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation. */ module XsltInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll index 06bccc993a4..9236a7185c3 100644 --- a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll @@ -28,7 +28,7 @@ deprecated class XxeConfig extends TaintTracking::Configuration { * A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion. */ module XxeConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink } diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll index 4d7f963e968..9c1c1d92956 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll @@ -66,7 +66,7 @@ deprecated predicate hasPolynomialReDoSResult( /** A configuration for Polynomial ReDoS queries. */ module PolynomialRedosConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp | diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll index 409143c18f8..5d44139e02e 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll @@ -24,7 +24,7 @@ deprecated class RegexInjectionConfiguration extends TaintTracking::Configuratio * A taint-tracking configuration for untrusted user input used to construct regular expressions. */ module RegexInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql index 14bef1791cc..33d060de691 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql @@ -43,7 +43,7 @@ class Log4jInjectionSanitizer extends DataFlow::Node { * A taint-tracking configuration for tracking untrusted user input used in log entries. */ module Log4jInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof Log4jInjectionSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql index 000ecee2999..fedde6f21a0 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql @@ -33,7 +33,7 @@ class UrlConstructor extends ClassInstanceExpr { } module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { exists(MethodAccess m | diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql index ba3411e4da2..26b2c8d83ea 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql @@ -48,7 +48,7 @@ class NormalizedPathNode extends DataFlow::Node { } module InjectFilePathConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") and diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql index 8c020b6f22b..c185a4f67da 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql @@ -14,7 +14,7 @@ import CommandInjectionRuntimeExec import ExecUserFlow::PathGraph -class RemoteSource extends Source instanceof RemoteFlowSource { } +class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } from ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd, diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql index c31e69f09fb..d4fe781fe37 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql @@ -20,7 +20,7 @@ import semmle.code.java.dataflow.TaintTracking import MyBatisAnnotationSqlInjectionFlow::PathGraph private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument } diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql index be58b8fecb0..44942f13344 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql @@ -20,7 +20,7 @@ import semmle.code.java.dataflow.FlowSources import MyBatisMapperXmlSqlInjectionFlow::PathGraph private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument } diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql index a867bfcb866..c67455d3da9 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql @@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking import BeanShellInjectionFlow::PathGraph module BeanShellInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql index 30e4a5e4137..88eebc1ab7f 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql @@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking import JShellInjectionFlow::PathGraph module JShellInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll index f14e03f7507..b288a1a4a19 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll @@ -8,7 +8,7 @@ import semmle.code.java.dataflow.TaintTracking * that is used to construct and evaluate an expression. */ module JakartaExpressionInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionEvaluationSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql index 328792e89fc..ec3628126bd 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql @@ -99,17 +99,17 @@ class CodeInjectionSink extends DataFlow::ExprNode { } /** - * A taint configuration for tracking flow from `RemoteFlowSource` to a Jython method call + * A taint configuration for tracking flow from `ThreatModelFlowSource` to a Jython method call * `CodeInjectionSink` that executes injected code. */ module CodeInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } } /** - * Taint tracking flow from `RemoteFlowSource` to a Jython method call + * Taint tracking flow from `ThreatModelFlowSource` to a Jython method call * `CodeInjectionSink` that executes injected code. */ module CodeInjectionFlow = TaintTracking::Global; diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql index ffbbab93d8e..21e36bbdd00 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql @@ -131,11 +131,11 @@ class ScriptInjectionSink extends DataFlow::ExprNode { } /** - * A taint tracking configuration that tracks flow from `RemoteFlowSource` to an argument + * A taint tracking configuration that tracks flow from `ThreatModelFlowSource` to an argument * of a method call that executes injected script. */ module ScriptInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink } } diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll index 7b7c2d8c8fd..943b946e95d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll @@ -42,7 +42,7 @@ class PortletRenderRequestMethod extends Method { */ module SpringViewManipulationConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof RemoteFlowSource or + source instanceof ThreatModelFlowSource or source instanceof WebRequestSource or source.asExpr().(MethodAccess).getMethod() instanceof PortletRenderRequestMethod } diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql b/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql index 81a181da0f0..f32c1682c29 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql @@ -19,7 +19,7 @@ import AndroidWebResourceResponse import InsecureWebResourceResponseFlow::PathGraph module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll index 8f4f6e1b4e2..194ae34b792 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll @@ -148,7 +148,7 @@ private predicate updateMessageDigestStep(DataFlow2::Node fromNode, DataFlow2::N * such as cipher, MAC or signature. */ private module UserInputInCryptoOperationConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { exists(ProduceCryptoCall call | call.getQualifier() = sink.asExpr()) @@ -214,7 +214,7 @@ private class NonConstantTimeComparisonCall extends StaticMethodAccess { * that compare inputs using a non-constant-time algorithm. */ private module UserInputInComparisonConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { exists(NonConstantTimeEqualsCall call | diff --git a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql index b5a457d14bb..f9a86e1c5f4 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql @@ -63,7 +63,7 @@ module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig { module CorsSourceReachesCheckFlow = TaintTracking::Global; private module CorsOriginConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { exists(MethodAccess corsHeader, MethodAccess allowCredentialsHeader | diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql index 847f6eecdef..58448c0ed9d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql @@ -22,7 +22,7 @@ import RequestResponseFlow::PathGraph /** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */ module RequestResponseFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof RemoteFlowSource and + source instanceof ThreatModelFlowSource and any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable()) } diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll index 8833a42b8b0..b9bbea33d0d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll @@ -77,16 +77,26 @@ class JsonpBuilderExpr extends AddExpr { Expr getJsonExpr() { result = this.getLeftOperand().(AddExpr).getRightOperand() } } -/** A data flow configuration tracing flow from remote sources to jsonp function name. */ -module RemoteFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } +/** A data flow configuration tracing flow from threat model sources to jsonp function name. */ +module ThreatModelFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { exists(JsonpBuilderExpr jhe | jhe.getFunctionName() = sink.asExpr()) } } -module RemoteFlow = DataFlow::Global; +/** + * DEPRECATED: Use `ThreatModelFlowConfig` instead. + */ +deprecated module RemoteFlowConfig = ThreatModelFlowConfig; + +module ThreatModelFlow = DataFlow::Global; + +/** + * DEPRECATED: Use `ThreatModelFlow` instead. + */ +deprecated module RemoteFlow = ThreatModelFlow; /** A data flow configuration tracing flow from json data into the argument `json` of JSONP-like string `someFunctionName + "(" + json + ")"`. */ module JsonDataFlowConfig implements DataFlow::ConfigSig { @@ -105,7 +115,7 @@ module JsonpInjectionFlowConfig implements DataFlow::ConfigSig { exists(JsonpBuilderExpr jhe | jhe = src.asExpr() and JsonDataFlow::flowTo(DataFlow::exprNode(jhe.getJsonExpr())) and - RemoteFlow::flowTo(DataFlow::exprNode(jhe.getFunctionName())) + ThreatModelFlow::flowTo(DataFlow::exprNode(jhe.getFunctionName())) ) } diff --git a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql index 19becee1a6a..a42a91ea17b 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql @@ -17,7 +17,7 @@ import ThreadResourceAbuseFlow::PathGraph /** Taint configuration of uncontrolled thread resource consumption. */ module ThreadResourceAbuseConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql index 06ec7cbe853..53b27b38df9 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql @@ -32,7 +32,7 @@ private predicate equalsSanitizer(Guard g, Expr e, boolean branch) { } module UnsafeReflectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql index d1b92f22563..bf0b5605c90 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql @@ -21,7 +21,7 @@ import UnsafeUrlForwardFlow::PathGraph module UnsafeUrlForwardFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof RemoteFlowSource and + source instanceof ThreatModelFlowSource and not exists(MethodAccess ma, Method m | ma.getMethod() = m | ( m instanceof HttpServletRequestGetRequestUriMethod or diff --git a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql index fc0a7c83ddd..c8e2523879a 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql @@ -65,9 +65,9 @@ class UncaughtServletExceptionSink extends DataFlow::ExprNode { } } -/** Taint configuration of uncaught exceptions caused by user provided data from `RemoteFlowSource` */ +/** Taint configuration of uncaught exceptions caused by user provided data from `ThreatModelFlowSource` */ module UncaughtServletExceptionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof UncaughtServletExceptionSink } } diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql index 52ddfd2a187..7ac2ffa28d1 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql @@ -26,7 +26,7 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) { } module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql index a5c2f8012c0..f7a8c335f1a 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql @@ -20,7 +20,7 @@ import XQueryInjectionFlow::PathGraph * A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution. */ module XQueryInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or diff --git a/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql b/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql index 41a4c8115d4..f2c31e566b8 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql @@ -24,7 +24,7 @@ import NfeLocalDoSFlow::PathGraph */ module NfeLocalDoSConfig implements DataFlow::ConfigSig { /** Holds if source is a remote flow source */ - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } /** Holds if NFE is thrown but not caught */ predicate isSink(DataFlow::Node sink) { diff --git a/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql b/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql index 29d355671ec..c41024c029b 100644 --- a/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql +++ b/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql @@ -9,7 +9,7 @@ class TestRemoteFlowSource extends RemoteFlowSource { } module TaintFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node n) { n instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node n) { exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument()) diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql index 93ab3fe066d..d7d94430486 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql @@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { DefaultFlowConfig::isSource(node) or - node instanceof RemoteFlowSource + node instanceof ThreatModelFlowSource } predicate isSink = DefaultFlowConfig::isSink/1; diff --git a/java/ql/test/library-tests/frameworks/android/content-provider/test.ql b/java/ql/test/library-tests/frameworks/android/content-provider/test.ql index 2c6bd09dc40..8293f7f4ff4 100644 --- a/java/ql/test/library-tests/frameworks/android/content-provider/test.ql +++ b/java/ql/test/library-tests/frameworks/android/content-provider/test.ql @@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineFlowTest module ProviderTaintFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node n) { n instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node n) { DefaultFlowConfig::isSink(n) } diff --git a/java/ql/test/library-tests/frameworks/android/external-storage/test.ql b/java/ql/test/library-tests/frameworks/android/external-storage/test.ql index 64ff27077df..89a353eedc9 100644 --- a/java/ql/test/library-tests/frameworks/android/external-storage/test.ql +++ b/java/ql/test/library-tests/frameworks/android/external-storage/test.ql @@ -4,7 +4,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineFlowTest module Config implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink.asExpr().(Argument).getCall().getCallee().hasName("sink") diff --git a/java/ql/test/library-tests/frameworks/android/slice/test.ql b/java/ql/test/library-tests/frameworks/android/slice/test.ql index 787f93df5a0..8540c0604a8 100644 --- a/java/ql/test/library-tests/frameworks/android/slice/test.ql +++ b/java/ql/test/library-tests/frameworks/android/slice/test.ql @@ -5,7 +5,7 @@ import semmle.code.java.dataflow.FlowSources module SliceValueFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - DefaultFlowConfig::isSource(source) or source instanceof RemoteFlowSource + DefaultFlowConfig::isSource(source) or source instanceof ThreatModelFlowSource } predicate isSink = DefaultFlowConfig::isSink/1; diff --git a/java/ql/test/library-tests/frameworks/android/sources/OnActivityResultSourceTest.ql b/java/ql/test/library-tests/frameworks/android/sources/OnActivityResultSourceTest.ql index 5b163a81935..9b067cd00dd 100644 --- a/java/ql/test/library-tests/frameworks/android/sources/OnActivityResultSourceTest.ql +++ b/java/ql/test/library-tests/frameworks/android/sources/OnActivityResultSourceTest.ql @@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineFlowTest module SourceValueFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { DefaultFlowConfig::isSink(sink) } diff --git a/java/ql/test/library-tests/frameworks/apache-http/flow.ql b/java/ql/test/library-tests/frameworks/apache-http/flow.ql index 540b4847ff3..0674c3d815f 100644 --- a/java/ql/test/library-tests/frameworks/apache-http/flow.ql +++ b/java/ql/test/library-tests/frameworks/apache-http/flow.ql @@ -9,7 +9,7 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") or - n instanceof RemoteFlowSource + n instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node n) { diff --git a/java/ql/test/library-tests/frameworks/guice/flow.ql b/java/ql/test/library-tests/frameworks/guice/flow.ql index e8e58e6cbb8..01f0eef9562 100644 --- a/java/ql/test/library-tests/frameworks/guice/flow.ql +++ b/java/ql/test/library-tests/frameworks/guice/flow.ql @@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking module Config implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { exists(MethodAccess ma | diff --git a/java/ql/test/library-tests/frameworks/jms/FlowTest.ql b/java/ql/test/library-tests/frameworks/jms/FlowTest.ql index ef42c248189..062caadc795 100644 --- a/java/ql/test/library-tests/frameworks/jms/FlowTest.ql +++ b/java/ql/test/library-tests/frameworks/jms/FlowTest.ql @@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineExpectationsTest module TestConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { exists(MethodAccess call | diff --git a/java/ql/test/library-tests/frameworks/netty/manual/test.ql b/java/ql/test/library-tests/frameworks/netty/manual/test.ql index c67cf1835fa..70da9eb5f0f 100644 --- a/java/ql/test/library-tests/frameworks/netty/manual/test.ql +++ b/java/ql/test/library-tests/frameworks/netty/manual/test.ql @@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { DefaultFlowConfig::isSource(node) or - node instanceof RemoteFlowSource + node instanceof ThreatModelFlowSource } predicate isSink = DefaultFlowConfig::isSink/1; diff --git a/java/ql/test/library-tests/frameworks/rabbitmq/FlowTest.ql b/java/ql/test/library-tests/frameworks/rabbitmq/FlowTest.ql index 0adb5a87783..0d20d80bacd 100644 --- a/java/ql/test/library-tests/frameworks/rabbitmq/FlowTest.ql +++ b/java/ql/test/library-tests/frameworks/rabbitmq/FlowTest.ql @@ -4,7 +4,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineFlowTest module Config implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node node) { exists(MethodAccess ma | ma.getMethod().hasName("sink") | node.asExpr() = ma.getAnArgument()) diff --git a/java/ql/test/library-tests/frameworks/ratpack/flow.ql b/java/ql/test/library-tests/frameworks/ratpack/flow.ql index eab631f0589..ce5b8252f55 100644 --- a/java/ql/test/library-tests/frameworks/ratpack/flow.ql +++ b/java/ql/test/library-tests/frameworks/ratpack/flow.ql @@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") or - n instanceof RemoteFlowSource + n instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node n) { diff --git a/java/ql/test/library-tests/frameworks/spring/controller/test.ql b/java/ql/test/library-tests/frameworks/spring/controller/test.ql index 35b3d064e5a..d8f6b13e870 100644 --- a/java/ql/test/library-tests/frameworks/spring/controller/test.ql +++ b/java/ql/test/library-tests/frameworks/spring/controller/test.ql @@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineFlowTest module ValueFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink.asExpr().(Argument).getCall().getCallee().hasName("sink")