mirror of
https://github.com/github/codeql.git
synced 2026-05-14 11:19:27 +02:00
Merge branch 'main' into fix/path-injection-read-subkind
This commit is contained in:
MarkLee131
@@ -2732,11 +2732,6 @@ class PatternExpr extends Expr {
|
||||
*/
|
||||
LocalVariableDeclExpr asBindingOrUnnamedPattern() { result = this }
|
||||
|
||||
/**
|
||||
* DEPRECATED: alias for `asBindingOrUnnamedPattern`.
|
||||
*/
|
||||
deprecated LocalVariableDeclExpr asBindingPattern() { result = this.asBindingOrUnnamedPattern() }
|
||||
|
||||
/**
|
||||
* Gets this pattern cast to a record pattern.
|
||||
*/
|
||||
|
||||
@@ -810,14 +810,6 @@ class Field extends Member, ExprParent, @field, Variable {
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: The result is always `this`.
|
||||
*/
|
||||
deprecated Field getSourceDeclaration() { result = this }
|
||||
|
||||
/** DEPRECATED: This always holds. */
|
||||
deprecated predicate isSourceDeclaration() { any() }
|
||||
|
||||
override predicate isPublic() {
|
||||
Member.super.isPublic()
|
||||
or
|
||||
|
||||
@@ -558,11 +558,6 @@ class ConstCase extends SwitchCase {
|
||||
class PatternCase extends SwitchCase {
|
||||
PatternCase() { exists(PatternExpr pe | pe.isNthChildOf(this, _)) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: alias for getPattern(0)
|
||||
*/
|
||||
deprecated PatternExpr getPattern() { result = this.getPattern(0) }
|
||||
|
||||
/**
|
||||
* Gets this case's `n`th pattern.
|
||||
*/
|
||||
|
||||
@@ -637,9 +637,6 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
|
||||
this.(NestedType).getEnclosingType().getNestedName() + "$" + this.getName() = result
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for `getNestedName`. */
|
||||
deprecated string nestedName() { result = this.getNestedName() }
|
||||
|
||||
/**
|
||||
* Gets the source declaration of this type.
|
||||
*
|
||||
|
||||
@@ -10,57 +10,6 @@ import java
|
||||
* Predicates for basic-block-level dominance.
|
||||
*/
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `BasicBlock::immediatelyDominates` instead.
|
||||
*
|
||||
* The immediate dominance relation for basic blocks.
|
||||
*/
|
||||
deprecated predicate bbIDominates(BasicBlock dom, BasicBlock node) {
|
||||
dom.immediatelyDominates(node)
|
||||
}
|
||||
|
||||
/** Exit points for basic-block control-flow. */
|
||||
private predicate bbSink(BasicBlock exit) { exit.getLastNode() instanceof ControlFlow::ExitNode }
|
||||
|
||||
/** Reversed `bbSucc`. */
|
||||
private predicate bbPred(BasicBlock post, BasicBlock pre) { post = pre.getASuccessor() }
|
||||
|
||||
/** The immediate post-dominance relation on basic blocks. */
|
||||
deprecated predicate bbIPostDominates(BasicBlock dominator, BasicBlock node) =
|
||||
idominance(bbSink/1, bbPred/2)(_, dominator, node)
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `BasicBlock::strictlyDominates` instead.
|
||||
*
|
||||
* Holds if `dom` strictly dominates `node`.
|
||||
*/
|
||||
deprecated predicate bbStrictlyDominates(BasicBlock dom, BasicBlock node) {
|
||||
dom.strictlyDominates(node)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `BasicBlock::dominates` instead.
|
||||
*
|
||||
* Holds if `dom` dominates `node`. (This is reflexive.)
|
||||
*/
|
||||
deprecated predicate bbDominates(BasicBlock dom, BasicBlock node) { dom.dominates(node) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `BasicBlock::strictlyPostDominates` instead.
|
||||
*
|
||||
* Holds if `dom` strictly post-dominates `node`.
|
||||
*/
|
||||
deprecated predicate bbStrictlyPostDominates(BasicBlock dom, BasicBlock node) {
|
||||
dom.strictlyPostDominates(node)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `BasicBlock::postDominates` instead.
|
||||
*
|
||||
* Holds if `dom` post-dominates `node`. (This is reflexive.)
|
||||
*/
|
||||
deprecated predicate bbPostDominates(BasicBlock dom, BasicBlock node) { dom.postDominates(node) }
|
||||
|
||||
/**
|
||||
* The dominance frontier relation for basic blocks.
|
||||
*
|
||||
|
||||
@@ -43,14 +43,6 @@ abstract class SourceNode extends DataFlow::Node {
|
||||
abstract string getThreatModel();
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ActiveThreatModelSource` instead.
|
||||
*
|
||||
* A class of data flow sources that respects the
|
||||
* current threat model configuration.
|
||||
*/
|
||||
deprecated class ThreatModelFlowSource = ActiveThreatModelSource;
|
||||
|
||||
/**
|
||||
* A data flow source that is enabled in the current threat model configuration.
|
||||
*/
|
||||
|
||||
@@ -8,14 +8,6 @@ import java
|
||||
private import internal.FlowSummaryImpl as Impl
|
||||
private import internal.DataFlowUtil
|
||||
|
||||
deprecated class SummaryComponent = Impl::Private::SummaryComponent;
|
||||
|
||||
deprecated module SummaryComponent = Impl::Private::SummaryComponent;
|
||||
|
||||
deprecated class SummaryComponentStack = Impl::Private::SummaryComponentStack;
|
||||
|
||||
deprecated module SummaryComponentStack = Impl::Private::SummaryComponentStack;
|
||||
|
||||
/** A synthetic callable with a set of concrete call sites and a flow summary. */
|
||||
abstract class SyntheticCallable extends string {
|
||||
bindingset[this]
|
||||
@@ -147,5 +139,3 @@ private class SummarizedSyntheticCallableAdapter extends SummarizedCallable::Ran
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
deprecated class RequiredSummaryComponentStack = Impl::Private::RequiredSummaryComponentStack;
|
||||
|
||||
@@ -196,18 +196,6 @@ Expr basicNullGuard(Expr e, boolean branch, boolean isnull) {
|
||||
Guards_v3::nullGuard(result, any(GuardValue v | v.asBooleanValue() = branch), e, isnull)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `basicNullGuard` instead.
|
||||
*
|
||||
* Gets an expression that directly tests whether a given expression, `e`, is null or not.
|
||||
*
|
||||
* If `result` evaluates to `branch`, then `e` is guaranteed to be null if `isnull`
|
||||
* is true, and non-null if `isnull` is false.
|
||||
*/
|
||||
deprecated Expr basicOrCustomNullGuard(Expr e, boolean branch, boolean isnull) {
|
||||
result = basicNullGuard(e, branch, isnull)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets an expression that directly tests whether a given SSA variable is null or not.
|
||||
*
|
||||
@@ -218,18 +206,6 @@ Expr directNullGuard(SsaDefinition v, boolean branch, boolean isnull) {
|
||||
result = basicNullGuard(sameValue(v, _), branch, isnull)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `nullGuardControls`/`nullGuardControlsBranchEdge` instead.
|
||||
*
|
||||
* Gets a `Guard` that tests (possibly indirectly) whether a given SSA variable is null or not.
|
||||
*
|
||||
* If `result` evaluates to `branch`, then `v` is guaranteed to be null if `isnull`
|
||||
* is true, and non-null if `isnull` is false.
|
||||
*/
|
||||
deprecated Guard nullGuard(SsaDefinition v, boolean branch, boolean isnull) {
|
||||
result = directNullGuard(v, branch, isnull)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if there exists a null check on `v`, such that taking the branch edge
|
||||
* from `bb1` to `bb2` implies that `v` is guaranteed to be null if `isnull` is
|
||||
|
||||
@@ -198,19 +198,6 @@ module Public {
|
||||
or
|
||||
result = this.getType() and not exists(this.getImprovedTypeBound())
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this element is at the specified location.
|
||||
* The location spans column `startcolumn` of line `startline` to
|
||||
* column `endcolumn` of line `endline` in file `filepath`.
|
||||
* For more information, see
|
||||
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
|
||||
*/
|
||||
deprecated predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -48,18 +48,6 @@ class MethodLdapNameAddAll extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: No longer needed as clone steps are handled uniformly.
|
||||
*
|
||||
* A method with the name `clone` declared in `javax.naming.ldap.LdapName`.
|
||||
*/
|
||||
deprecated class MethodLdapNameClone extends Method {
|
||||
MethodLdapNameClone() {
|
||||
this.getDeclaringType() instanceof TypeLdapName and
|
||||
this.hasName("clone")
|
||||
}
|
||||
}
|
||||
|
||||
/** A method with the name `getAll` declared in `javax.naming.ldap.LdapName`. */
|
||||
class MethodLdapNameGetAll extends Method {
|
||||
MethodLdapNameGetAll() {
|
||||
|
||||
@@ -156,9 +156,6 @@ class SpringRequestMappingMethod extends SpringControllerMethod {
|
||||
result = this.getProducesExpr().(CompileTimeConstantExpr).getStringValue()
|
||||
}
|
||||
|
||||
/** DEPRECATED: Use `getAValue()` instead. */
|
||||
deprecated string getValue() { result = requestMappingAnnotation.getStringValue("value") }
|
||||
|
||||
/**
|
||||
* Gets a "value" @RequestMapping annotation string value, if present.
|
||||
*
|
||||
|
||||
@@ -20,13 +20,6 @@ class AndroidNetworkSecurityConfigFile extends XmlFile {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED. Use `semmle.code.java.frameworks.android.Android::inAndroidApplication` instead.
|
||||
*
|
||||
* Holds if this database contains an Android manifest file.
|
||||
*/
|
||||
deprecated predicate isAndroid() { exists(AndroidManifestXmlFile m) }
|
||||
|
||||
/** Holds if the given domain name is trusted by the Network Security Configuration XML file. */
|
||||
private predicate trustedDomainViaXml(string domainName) {
|
||||
exists(
|
||||
|
||||
@@ -1,49 +1,5 @@
|
||||
/** Provides taint-tracking configurations to reason about arithmetic using local-user-controlled data. */
|
||||
overlay[local?]
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.ArithmeticCommon
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ArithmeticOverflowConfig` instead.
|
||||
*
|
||||
* A taint-tracking configuration to reason about arithmetic overflow using local-user-controlled data.
|
||||
*/
|
||||
deprecated module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
|
||||
|
||||
predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ArithmeticOverflow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for arithmetic overflow using local-user-controlled data.
|
||||
*/
|
||||
deprecated module ArithmeticTaintedLocalOverflowFlow =
|
||||
TaintTracking::Global<ArithmeticTaintedLocalOverflowConfig>;
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration to reason about arithmetic underflow using local-user-controlled data.
|
||||
*/
|
||||
deprecated module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
|
||||
|
||||
predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ArithmeticUnderflow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for arithmetic underflow using local-user-controlled data.
|
||||
*/
|
||||
deprecated module ArithmeticTaintedLocalUnderflowFlow =
|
||||
TaintTracking::Global<ArithmeticTaintedLocalUnderflowConfig>;
|
||||
|
||||
@@ -25,11 +25,6 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ArithmeticOverflowConfig` instead.
|
||||
*/
|
||||
deprecated module RemoteUserInputOverflowConfig = ArithmeticOverflowConfig;
|
||||
|
||||
/** A taint-tracking configuration to reason about underflow from unvalidated input. */
|
||||
module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
@@ -51,23 +46,8 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ArithmeticUnderflowConfig` instead.
|
||||
*/
|
||||
deprecated module RemoteUserInputUnderflowConfig = ArithmeticUnderflowConfig;
|
||||
|
||||
/** Taint-tracking flow for overflow from unvalidated input. */
|
||||
module ArithmeticOverflow = TaintTracking::Global<ArithmeticOverflowConfig>;
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ArithmeticOverflow` instead.
|
||||
*/
|
||||
deprecated module RemoteUserInputOverflow = ArithmeticOverflow;
|
||||
|
||||
/** Taint-tracking flow for underflow from unvalidated input. */
|
||||
module ArithmeticUnderflow = TaintTracking::Global<ArithmeticUnderflowConfig>;
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ArithmeticUnderflow` instead.
|
||||
*/
|
||||
deprecated module RemoteUserInputUnderflow = ArithmeticUnderflow;
|
||||
|
||||
@@ -78,44 +78,11 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `InputToArgumentToExecFlowConfig` instead.
|
||||
*/
|
||||
deprecated module RemoteUserInputToArgumentToExecFlowConfig = InputToArgumentToExecFlowConfig;
|
||||
|
||||
/**
|
||||
* Taint-tracking flow for unvalidated input that is used to run an external process.
|
||||
*/
|
||||
module InputToArgumentToExecFlow = TaintTracking::Global<InputToArgumentToExecFlowConfig>;
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `InputToArgumentToExecFlow` instead.
|
||||
*/
|
||||
deprecated module RemoteUserInputToArgumentToExecFlow = InputToArgumentToExecFlow;
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unvalidated local user input that is used to run an external process.
|
||||
*/
|
||||
deprecated module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjectionSanitizer }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
any(CommandInjectionAdditionalTaintStep s).step(n1, n2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `InputToArgumentToExecFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for unvalidated local user input that is used to run an external process.
|
||||
*/
|
||||
deprecated module LocalUserInputToArgumentToExecFlow =
|
||||
TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
|
||||
|
||||
/**
|
||||
* Implementation of `ExecTainted.ql`. It is extracted to a QLL
|
||||
* so that it can be excluded from `ExecUnescaped.ql` to avoid
|
||||
|
||||
@@ -1,27 +1,5 @@
|
||||
/** Provides a taint-tracking configuration to reason about use of externally controlled strings for command injection vulnerabilities. */
|
||||
overlay[local?]
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.ExternalProcess
|
||||
private import semmle.code.java.security.CommandArguments
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
|
||||
/** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
|
||||
deprecated module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node instanceof SimpleTypeSanitizer
|
||||
or
|
||||
isSafeCommandArgument(node.asExpr())
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRCATED: Unused.
|
||||
*
|
||||
* Taint-tracking flow for use of externally controlled strings to make command line commands.
|
||||
*/
|
||||
deprecated module ExecTaintedLocalFlow = TaintTracking::Global<ExecTaintedLocalConfig>;
|
||||
|
||||
@@ -1,26 +1,5 @@
|
||||
/** Provides a taint-tracking configuration to reason about externally-controlled format strings from local sources. */
|
||||
overlay[local?]
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.StringFormat
|
||||
|
||||
/** A taint-tracking configuration to reason about externally-controlled format strings from local sources. */
|
||||
deprecated module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(StringFormat formatCall).getFormatArgument()
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node.getType() instanceof NumericType or node.getType() instanceof BooleanType
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ExternallyControlledFormatStringFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for externally-controlled format strings from local sources.
|
||||
*/
|
||||
deprecated module ExternallyControlledFormatStringLocalFlow =
|
||||
TaintTracking::Global<ExternallyControlledFormatStringLocalConfig>;
|
||||
|
||||
@@ -1,24 +1,5 @@
|
||||
/** Provides a taint-tracking configuration to reason about improper validation of local user-provided size used for array construction. */
|
||||
overlay[local?]
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.security.internal.ArraySizing
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration to reason about improper validation of local user-provided size used for array construction.
|
||||
*/
|
||||
deprecated module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ImproperValidationOfArrayConstructionFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for improper validation of local user-provided size used for array construction.
|
||||
*/
|
||||
deprecated module ImproperValidationOfArrayConstructionLocalFlow =
|
||||
TaintTracking::Global<ImproperValidationOfArrayConstructionLocalConfig>;
|
||||
|
||||
@@ -1,28 +1,5 @@
|
||||
/** Provides a taint-tracking configuration to reason about improper validation of local user-provided array index. */
|
||||
overlay[local?]
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.security.internal.ArraySizing
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration to reason about improper validation of local user-provided array index.
|
||||
*/
|
||||
deprecated module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr())
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType }
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ImproperValidationOfArrayIndexFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for improper validation of local user-provided array index.
|
||||
*/
|
||||
deprecated module ImproperValidationOfArrayIndexLocalFlow =
|
||||
TaintTracking::Global<ImproperValidationOfArrayIndexLocalConfig>;
|
||||
|
||||
@@ -115,34 +115,3 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
|
||||
* Taint-tracking flow for user input that is used in a numeric cast.
|
||||
*/
|
||||
module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about local user input that is
|
||||
* used in a numeric cast.
|
||||
*/
|
||||
deprecated module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and
|
||||
sink.asExpr() instanceof VarAccess
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
boundedRead(node.asExpr()) or
|
||||
castCheck(node.asExpr()) or
|
||||
node.getType() instanceof SmallType or
|
||||
smallExpr(node.asExpr()) or
|
||||
node.getEnclosingCallable() instanceof HashCodeMethod or
|
||||
exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr())
|
||||
}
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `NumericCastFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for local user input that is used in a numeric cast.
|
||||
*/
|
||||
deprecated module NumericCastLocalFlow = TaintTracking::Global<NumericCastLocalFlowConfig>;
|
||||
|
||||
@@ -1,39 +1,5 @@
|
||||
/** Provides a taint-tracking configuration to reason about response splitting vulnerabilities from local user input. */
|
||||
overlay[local?]
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.ResponseSplitting
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration to reason about response splitting vulnerabilities from local user input.
|
||||
*/
|
||||
deprecated module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node.getType() instanceof PrimitiveType
|
||||
or
|
||||
node.getType() instanceof BoxedType
|
||||
or
|
||||
exists(MethodCall ma, string methodName, CompileTimeConstantExpr target |
|
||||
node.asExpr() = ma and
|
||||
ma.getMethod().hasQualifiedName("java.lang", "String", methodName) and
|
||||
target = ma.getArgument(0) and
|
||||
(
|
||||
methodName = "replace" and target.getIntValue() = [10, 13] // 10 == "\n", 13 == "\r"
|
||||
or
|
||||
methodName = "replaceAll" and
|
||||
target.getStringValue().regexpMatch(".*([\n\r]|\\[\\^[^\\]\r\n]*\\]).*")
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ResponseSplittingFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for response splitting vulnerabilities from local user input.
|
||||
*/
|
||||
deprecated module ResponseSplittingLocalFlow = TaintTracking::Global<ResponseSplittingLocalConfig>;
|
||||
|
||||
@@ -2,32 +2,7 @@
|
||||
* Provides a taint-tracking configuration for reasoning about local user input
|
||||
* that is used in a SQL query.
|
||||
*/
|
||||
overlay[local?]
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.SqlInjectionQuery
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about local user input that is
|
||||
* used in a SQL query.
|
||||
*/
|
||||
deprecated module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `QueryInjectionFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for local user input that is used in a SQL query.
|
||||
*/
|
||||
deprecated module LocalUserInputToQueryInjectionFlow =
|
||||
TaintTracking::Global<LocalUserInputToQueryInjectionFlowConfig>;
|
||||
|
||||
@@ -78,28 +78,3 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
|
||||
|
||||
/** Tracks flow from remote sources to the creation of a path. */
|
||||
module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for tracking flow from local user input to the creation of a path.
|
||||
*/
|
||||
deprecated module TaintedPathLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof TaintedPathSink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node sanitizer) {
|
||||
sanitizer instanceof SimpleTypeSanitizer or
|
||||
sanitizer instanceof PathInjectionSanitizer
|
||||
}
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
any(TaintedPathAdditionalTaintStep s).step(n1, n2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `TaintedPathFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Tracks flow from local user input to the creation of a path.
|
||||
*/
|
||||
deprecated module TaintedPathLocalFlow = TaintTracking::Global<TaintedPathLocalConfig>;
|
||||
|
||||
@@ -1,21 +1,5 @@
|
||||
/** Provides a taint-tracking configuration to reason about URL redirection from local sources. */
|
||||
overlay[local?]
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.UrlRedirect
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration to reason about URL redirection from local sources.
|
||||
*/
|
||||
deprecated module UrlRedirectLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `UrlRedirectFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for URL redirection from local sources.
|
||||
*/
|
||||
deprecated module UrlRedirectLocalFlow = TaintTracking::Global<UrlRedirectLocalConfig>;
|
||||
|
||||
@@ -1,30 +1,5 @@
|
||||
/** Provides a taint-tracking configuration to reason about cross-site scripting from a local source. */
|
||||
overlay[local?]
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.dataflow.TaintTracking
|
||||
private import semmle.code.java.security.XSS
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about cross-site scripting vulnerabilities from a local source.
|
||||
*/
|
||||
deprecated module XssLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof XssSanitizer }
|
||||
|
||||
predicate isBarrierOut(DataFlow::Node node) { node instanceof XssSinkBarrier }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(XssAdditionalTaintStep s).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `XssFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Taint-tracking flow for cross-site scripting vulnerabilities from a local source.
|
||||
*/
|
||||
deprecated module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
|
||||
|
||||
@@ -1,28 +1,5 @@
|
||||
/** Provides taint tracking configurations to be used in local XXE queries. */
|
||||
overlay[local?]
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.dataflow.TaintTracking
|
||||
private import semmle.code.java.security.XxeQuery
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unvalidated local user input that is used in XML external entity expansion.
|
||||
*/
|
||||
deprecated module XxeLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof XxeSanitizer }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
any(XxeAdditionalTaintStep s).step(n1, n2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `XxeFlow` instead and configure threat model sources to include `local`.
|
||||
*
|
||||
* Detect taint flow of unvalidated local user input that is used in XML external entity expansion.
|
||||
*/
|
||||
deprecated module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
|
||||
|
||||
Reference in New Issue
Block a user