Refactor experimental queries to use ThreadModelFlowSource

2026-04-25 00:35:20 +02:00 · 2024-06-06 23:42:41 -04:00
parent cfd5f53eb0
commit 46e16b88bb
11 changed files with 27 additions and 27 deletions
--- a/go/ql/src/experimental/CWE-090/LDAPInjection.qll
+++ b/go/ql/src/experimental/CWE-090/LDAPInjection.qll
@@ -98,13 +98,13 @@ private class LdapClientDNSink extends LdapSink {
 /**
 * DEPRECATED: Use `LdapInjectionFlow` instead.
 *
- * A taint-tracking configuration for reasoning about when a `RemoteFlowSource`
+ * A taint-tracking configuration for reasoning about when a `ThreatModelFlowSource`
 * flows into an argument or field that is vulnerable to LDAP injection.
 */
 deprecated class LdapInjectionConfiguration extends TaintTracking::Configuration {
  LdapInjectionConfiguration() { this = "Ldap injection" }

-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  override predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink }

@@ -112,7 +112,7 @@ deprecated class LdapInjectionConfiguration extends TaintTracking::Configuration
 }

 private module LdapInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink }

@@ -120,7 +120,7 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig {
 }

 /**
- * Tracks taint flow for reasoning about when a `RemoteFlowSource` flows
+ * Tracks taint flow for reasoning about when a `ThreatModelFlowSource` flows
 * into an argument or field that is vulnerable to LDAP injection.
 */
 module LdapInjectionFlow = TaintTracking::Global<LdapInjectionConfig>;
--- a/go/ql/src/experimental/CWE-203/Timing.ql
+++ b/go/ql/src/experimental/CWE-203/Timing.ql
@@ -98,7 +98,7 @@ private class SensitiveStringSink extends Sink {

 module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and not isBadResult(source)
+    source instanceof ThreatModelFlowSource and not isBadResult(source)
  }

  predicate isSink(DataFlow::Node sink) { sink instanceof Sink and not isBadResult(sink) }
--- a/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll
+++ b/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll
@@ -68,7 +68,7 @@ module ImproperLdapAuth {

  private module Config implements DataFlow::ConfigSig {
    predicate isSource(DataFlow::Node source) {
-      source instanceof RemoteFlowSource or source instanceof EmptyString
+      source instanceof ThreatModelFlowSource or source instanceof EmptyString
    }

    predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink }
--- a/go/ql/src/experimental/CWE-369/DivideByZero.ql
+++ b/go/ql/src/experimental/CWE-369/DivideByZero.ql
@@ -28,7 +28,7 @@ predicate divideByZeroSanitizerGuard(DataFlow::Node g, Expr e, boolean branch) {
 }

 module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    exists(Function f, DataFlow::CallNode cn | cn = f.getACall() |
--- a/go/ql/src/experimental/CWE-74/DsnInjection.ql
+++ b/go/ql/src/experimental/CWE-74/DsnInjection.ql
@@ -14,7 +14,7 @@ import DsnInjectionCustomizations
 import DsnInjectionFlow::PathGraph

 /** A remote flow source taken as a source for the `DsnInjection` taint-flow configuration. */
-private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
+private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }

 from DsnInjectionFlow::PathNode source, DsnInjectionFlow::PathNode sink
 where DsnInjectionFlow::flowPath(source, sink)
--- a/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
+++ b/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
@@ -36,7 +36,7 @@ class PassthroughTypeName extends string {
 }

 module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  additional predicate isSinkToPassthroughType(DataFlow::TypeCastNode sink, PassthroughTypeName name) {
    exists(Type typ |
@@ -53,7 +53,7 @@ module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig
 }

 /**
- * Tracks taint flow for reasoning about when a `RemoteFlowSource` is
+ * Tracks taint flow for reasoning about when a `ThreatModelFlowSource` is
 * converted into a special "passthrough" type which will not be escaped by the
 * template generator; this allows the injection of arbitrary content (html,
 * css, js) into the generated output of the templates.
@@ -109,13 +109,13 @@ predicate isSinkToTemplateExec(DataFlow::Node sink, DataFlow::CallNode call) {
 }

 module FromUntrustedToTemplateExecutionCallConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
 }

 /**
- * Tracks taint flow from a `RemoteFlowSource` into a template executor
+ * Tracks taint flow from a `ThreatModelFlowSource` into a template executor
 * call.
 */
 module FromUntrustedToTemplateExecutionCallFlow =
--- a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll
+++ b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll
@@ -52,7 +52,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "Condtional Expression Check Bypass" }

  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource
+    source instanceof ThreatModelFlowSource
    or
    exists(DataFlow::FieldReadNode f |
      f.getField().hasQualifiedName("net/http", "Request", "Host")
@@ -71,7 +71,7 @@ deprecated class Configuration extends TaintTracking::Configuration {

 private module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource
+    source instanceof ThreatModelFlowSource
    or
    exists(DataFlow::FieldReadNode f |
      f.getField().hasQualifiedName("net/http", "Request", "Host")
--- a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
+++ b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
@@ -14,7 +14,7 @@ import go

 module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource
+    source instanceof ThreatModelFlowSource
    or
    source = any(Field f | f.hasQualifiedName("net/http", "Request", "Host")).getARead()
  }
--- a/go/ql/src/experimental/CWE-918/SSRF.qll
+++ b/go/ql/src/experimental/CWE-918/SSRF.qll
@@ -88,14 +88,14 @@ module ServerSideRequestForgery {
  abstract class SanitizerEdge extends DataFlow::Node { }

  /**
-   * DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
+   * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead.
   */
-  deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
+  deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource;

  /**
   * An user controlled input, considered as a flow source for request forgery.
   */
-  private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
+  private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }

  /**
   * The URL of an HTTP request, viewed as a sink for request forgery.
--- a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
+++ b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
@@ -52,7 +52,7 @@ class AllowCredentialsHeaderWrite extends Http::HeaderWrite {
 }

 module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  additional predicate isSinkHW(DataFlow::Node sink, AllowOriginHeaderWrite hw) {
    sink = hw.getValue()
@@ -70,7 +70,7 @@ module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
 }

 module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  additional predicate isSinkWrite(DataFlow::Node sink, GinCors::AllowOriginsWrite w) { sink = w }

@@ -78,13 +78,13 @@ module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig {
 }

 /**
- * Tracks taint flowfor reasoning about when a `RemoteFlowSource` flows to
+ * Tracks taint flowfor reasoning about when a `ThreatModelFlowSource` flows to
 * a `HeaderWrite` that writes an `Access-Control-Allow-Origin` header's value.
 */
 module UntrustedToAllowOriginHeaderFlow = TaintTracking::Global<UntrustedToAllowOriginHeaderConfig>;

 /**
- * Tracks taint flowfor reasoning about when a `RemoteFlowSource` flows to
+ * Tracks taint flowfor reasoning about when a `ThreatModelFlowSource` flows to
 * a `AllowOriginsWrite` that writes an `Access-Control-Allow-Origin` header's value.
 */
 module UntrustedToAllowOriginConfigFlow = TaintTracking::Global<UntrustedToAllowOriginConfigConfig>;
@@ -121,7 +121,7 @@ predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOriginHW) {

 /**
 * Holds if the provided `allowOriginHW` HeaderWrite's value is set using an
- * RemoteFlowSource.
+ * ThreatModelFlowSource.
 * The `message` parameter is populated with the warning message to be returned by the query.
 */
 predicate flowsFromUntrustedToAllowOrigin(DataFlow::ExprNode allowOriginHW, string message) {
@@ -169,7 +169,7 @@ class MapRead extends DataFlow::ElementReadNode {
 }

 module FromUntrustedConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { isSinkCgn(sink, _) }

@@ -208,13 +208,13 @@ module FromUntrustedConfig implements DataFlow::ConfigSig {
 }

 /**
- * Tracks taint flow for reasoning about when a `RemoteFlowSource` flows
+ * Tracks taint flow for reasoning about when a `ThreatModelFlowSource` flows
 * somewhere.
 */
 module FromUntrustedFlow = TaintTracking::Global<FromUntrustedConfig>;

 /**
- * Holds if the provided `allowOriginHW` is also destination of a `RemoteFlowSource`.
+ * Holds if the provided `allowOriginHW` is also destination of a `ThreatModelFlowSource`.
 */
 predicate flowsToGuardedByCheckOnUntrusted(DataFlow::ExprNode allowOriginHW) {
  exists(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn |
--- a/go/ql/src/experimental/frameworks/DecompressionBombs.qll
+++ b/go/ql/src/experimental/frameworks/DecompressionBombs.qll
@@ -29,7 +29,7 @@ module DecompressionBomb {
    class FlowState = DecompressionBombs::FlowState;

    predicate isSource(DataFlow::Node source, FlowState state) {
-      source instanceof RemoteFlowSource and
+      source instanceof ThreatModelFlowSource and
      state = ""
    }