Revert "deprecate SqlConstruction"

This reverts commit c0eca0d09a.
2026-05-01 11:45:14 +02:00 · 2022-05-03 22:49:33 +02:00
parent 1062aae21c
commit 571fc3e73b
15 changed files with 85 additions and 49 deletions
--- a/python/ql/lib/change-notes/2022-05-02-deprecate-sqlconstruction.md
+++ b/python/ql/lib/change-notes/2022-05-02-deprecate-sqlconstruction.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-The `SqlConstruction` class and module from `Concepts.qll` has been deprecated. Use `SqlExecution` from the same file instead.
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -308,19 +308,36 @@ module CodeExecution {
  }
 }

-/** DEPRECATED: Use `SqlExecution` instead. */
-deprecated class SqlConstruction extends DataFlow::Node instanceof SqlConstruction::Range {
+/**
+ * A data-flow node that constructs an SQL statement.
+ *
+ * Often, it is worthy of an alert if an SQL statement is constructed such that
+ * executing it would be a security risk.
+ *
+ * If it is important that the SQL statement is indeed executed, then use `SQLExecution`.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `SqlConstruction::Range` instead.
+ */
+class SqlConstruction extends DataFlow::Node instanceof SqlConstruction::Range {
  /** Gets the argument that specifies the SQL statements to be constructed. */
  DataFlow::Node getSql() { result = super.getSql() }
 }

-/**
- * DEPRECATED: Use `SqlExecution` instead.
- * Provides a class for modeling new SQL execution APIs.
- */
-deprecated module SqlConstruction {
-  /** DEPRECATED: Use `SqlExecution::Range` instead. */
-  abstract deprecated class Range extends DataFlow::Node {
+/** Provides a class for modeling new SQL execution APIs. */
+module SqlConstruction {
+  /**
+   * A data-flow node that constructs an SQL statement.
+   *
+   * Often, it is worthy of an alert if an SQL statement is constructed such that
+   * executing it would be a security risk.
+   *
+   * If it is important that the SQL statement is indeed executed, then use `SQLExecution`.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `SqlConstruction` instead.
+   */
+  abstract class Range extends DataFlow::Node {
    /** Gets the argument that specifies the SQL statements to be constructed. */
    abstract DataFlow::Node getSql();
  }
@@ -329,6 +346,9 @@ deprecated module SqlConstruction {
 /**
 * A data-flow node that executes SQL statements.
 *
+ * If the context of interest is such that merely constructing an SQL statement
+ * would be valuabe to report, then consider using `SqlConstruction`.
+ *
 * Extend this class to refine existing API models. If you want to model new APIs,
 * extend `SqlExecution::Range` instead.
 */
@@ -342,6 +362,9 @@ module SqlExecution {
  /**
   * A data-flow node that executes SQL statements.
   *
+   * If the context of interest is such that merely constructing an SQL statement
+   * would be valuabe to report, then consider using `SqlConstruction`.
+   *
   * Extend this class to model new APIs. If you want to refine existing API models,
   * extend `SqlExecution` instead.
   */
--- a/python/ql/lib/semmle/python/frameworks/Aiomysql.qll
+++ b/python/ql/lib/semmle/python/frameworks/Aiomysql.qll
@@ -50,7 +50,7 @@ private module Aiomysql {
   * A query. Calling `execute` on a `Cursor` constructs a query.
   * See https://aiomysql.readthedocs.io/en/stable/cursors.html#Cursor.execute
   */
-  class CursorExecuteCall extends SqlExecution::Range, API::CallNode {
+  class CursorExecuteCall extends SqlConstruction::Range, API::CallNode {
    CursorExecuteCall() { this = cursor().getMember("execute").getACall() }

    override DataFlow::Node getSql() { result = this.getParameter(0, "operation").getARhs() }
@@ -91,7 +91,7 @@ private module Aiomysql {
   * A query. Calling `execute` on a `SAConnection` constructs a query.
   * See https://aiomysql.readthedocs.io/en/stable/sa.html#aiomysql.sa.SAConnection.execute
   */
-  class SAConnectionExecuteCall extends SqlExecution::Range, API::CallNode {
+  class SAConnectionExecuteCall extends SqlConstruction::Range, API::CallNode {
    SAConnectionExecuteCall() { this = saConnection().getMember("execute").getACall() }

    override DataFlow::Node getSql() { result = this.getParameter(0, "query").getARhs() }
--- a/python/ql/lib/semmle/python/frameworks/Aiopg.qll
+++ b/python/ql/lib/semmle/python/frameworks/Aiopg.qll
@@ -50,7 +50,7 @@ private module Aiopg {
   * A query. Calling `execute` on a `Cursor` constructs a query.
   * See https://aiopg.readthedocs.io/en/stable/core.html#aiopg.Cursor.execute
   */
-  class CursorExecuteCall extends SqlExecution::Range, API::CallNode {
+  class CursorExecuteCall extends SqlConstruction::Range, API::CallNode {
    CursorExecuteCall() { this = cursor().getMember("execute").getACall() }

    override DataFlow::Node getSql() { result = this.getParameter(0, "operation").getARhs() }
@@ -87,7 +87,7 @@ private module Aiopg {
   * A query. Calling `execute` on a `SAConnection` constructs a query.
   * See https://aiopg.readthedocs.io/en/stable/sa.html#aiopg.sa.SAConnection.execute
   */
-  class SAConnectionExecuteCall extends SqlExecution::Range, API::CallNode {
+  class SAConnectionExecuteCall extends SqlConstruction::Range, API::CallNode {
    SAConnectionExecuteCall() { this = saConnection().getMember("execute").getACall() }

    override DataFlow::Node getSql() { result = this.getParameter(0, "query").getARhs() }
--- a/python/ql/lib/semmle/python/frameworks/Asyncpg.qll
+++ b/python/ql/lib/semmle/python/frameworks/Asyncpg.qll
@@ -56,7 +56,7 @@ private module Asyncpg {
   * The creation of the `Cursor` executes the query.
   */
  module Cursor {
-    class CursorConstruction extends SqlExecution::Range, API::CallNode {
+    class CursorConstruction extends SqlConstruction::Range, API::CallNode {
      CursorConstruction() {
        this = ModelOutput::getATypeNode("asyncpg", "Connection").getMember("cursor").getACall()
      }
--- a/python/ql/lib/semmle/python/frameworks/SqlAlchemy.qll
+++ b/python/ql/lib/semmle/python/frameworks/SqlAlchemy.qll
@@ -323,7 +323,7 @@ module SqlAlchemy {
     * A construction of a `sqlalchemy.sql.expression.TextClause`, which represents a
     * textual SQL string directly.
     */
-    abstract class TextClauseConstruction extends SqlExecution::Range, DataFlow::CallCfgNode {
+    abstract class TextClauseConstruction extends SqlConstruction::Range, DataFlow::CallCfgNode {
      /** Gets the argument that specifies the SQL text. */
      override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("text")] }
    }
--- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
@@ -43,10 +43,9 @@ module SqlInjection {
  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }

  /**
-   * DEPRECATED: Use `SqlExecutionAsSink` instead.
   * A SQL statement of a SQL construction, considered as a flow sink.
   */
-  deprecated class SqlConstructionAsSink extends Sink {
+  class SqlConstructionAsSink extends Sink {
    SqlConstructionAsSink() { this = any(SqlConstruction c).getSql() }
  }