diff --git a/python/ql/lib/semmle/python/security/Paths.qll b/python/ql/lib/semmle/python/security/Paths.qll index 8f7cba4b969..9288a1eff61 100644 --- a/python/ql/lib/semmle/python/security/Paths.qll +++ b/python/ql/lib/semmle/python/security/Paths.qll @@ -1,6 +1,6 @@ import semmle.python.dataflow.Implementation -module TaintTrackingPaths { +deprecated module TaintTrackingPaths { predicate edge(TaintTrackingNode src, TaintTrackingNode dest, string label) { exists(TaintTrackingNode source, TaintTrackingNode sink | source.getConfiguration().hasFlowPath(source, sink) and @@ -11,6 +11,6 @@ module TaintTrackingPaths { } } -query predicate edges(TaintTrackingNode fromnode, TaintTrackingNode tonode) { +deprecated query predicate edges(TaintTrackingNode fromnode, TaintTrackingNode tonode) { TaintTrackingPaths::edge(fromnode, tonode, _) } diff --git a/python/ql/lib/semmle/python/security/flow/AnyCall.qll b/python/ql/lib/semmle/python/security/flow/AnyCall.qll index 7478d7a58ab..6c93f3841b2 100644 --- a/python/ql/lib/semmle/python/security/flow/AnyCall.qll +++ b/python/ql/lib/semmle/python/security/flow/AnyCall.qll @@ -2,7 +2,7 @@ import python import semmle.python.security.strings.Basic /** Assume that taint flows from argument to result for *any* call */ -class AnyCallStringFlow extends DataFlowExtension::DataFlowNode { +deprecated class AnyCallStringFlow extends DataFlowExtension::DataFlowNode { AnyCallStringFlow() { any(CallNode call).getAnArg() = this } override ControlFlowNode getASuccessorNode() { result.(CallNode).getAnArg() = this } diff --git a/python/ql/lib/semmle/python/security/strings/Basic.qll b/python/ql/lib/semmle/python/security/strings/Basic.qll index f6ab8a95e76..00598b72344 100755 --- a/python/ql/lib/semmle/python/security/strings/Basic.qll +++ b/python/ql/lib/semmle/python/security/strings/Basic.qll @@ -3,7 +3,7 @@ private import Common import semmle.python.dataflow.TaintTracking /** An extensible kind of taint representing any kind of string. */ -abstract class StringKind extends TaintKind { +abstract deprecated class StringKind extends TaintKind { bindingset[this] StringKind() { this = this } @@ -42,7 +42,7 @@ abstract class StringKind extends TaintKind { } } -private class StringEqualitySanitizer extends Sanitizer { +deprecated private class StringEqualitySanitizer extends Sanitizer { StringEqualitySanitizer() { this = "string equality sanitizer" } /** The test `if untrusted == "KNOWN_VALUE":` sanitizes `untrusted` on its `true` edge. */ @@ -64,13 +64,13 @@ private class StringEqualitySanitizer extends Sanitizer { } /** tonode = ....format(fromnode) */ -private predicate str_format(ControlFlowNode fromnode, CallNode tonode) { +deprecated private predicate str_format(ControlFlowNode fromnode, CallNode tonode) { tonode.getFunction().(AttrNode).getName() = "format" and tonode.getAnArg() = fromnode } /** tonode = codec.[en|de]code(fromnode) */ -private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) { +deprecated private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) { exists(FunctionObject func, string name | not func.getFunction().isMethod() and func.getACall() = tonode and @@ -84,7 +84,7 @@ private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) { } /** tonode = str(fromnode) */ -private predicate to_str(ControlFlowNode fromnode, CallNode tonode) { +deprecated private predicate to_str(ControlFlowNode fromnode, CallNode tonode) { tonode.getAnArg() = fromnode and ( tonode = ClassValue::bytes().getACall() @@ -94,7 +94,7 @@ private predicate to_str(ControlFlowNode fromnode, CallNode tonode) { } /** tonode = fromnode[:] */ -private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) { +deprecated private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) { exists(Slice all | all = tonode.getIndex().getNode() and not exists(all.getStart()) and @@ -104,13 +104,13 @@ private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) { } /** tonode = os.path.join(..., fromnode, ...) */ -private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) { +deprecated private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) { tonode = Value::named("os.path.join").getACall() and tonode.getAnArg() = fromnode } /** tonode = f"... {fromnode} ..." */ -private predicate f_string(ControlFlowNode fromnode, ControlFlowNode tonode) { +deprecated private predicate f_string(ControlFlowNode fromnode, ControlFlowNode tonode) { tonode.getNode().(Fstring).getAValue() = fromnode.getNode() } @@ -119,6 +119,6 @@ private predicate f_string(ControlFlowNode fromnode, ControlFlowNode tonode) { * * DEPRECATED: Use `ExternalStringDictKind` instead. */ -deprecated class StringDictKind extends DictKind { +deprecated deprecated class StringDictKind extends DictKind { StringDictKind() { this.getValue() instanceof StringKind } } diff --git a/python/ql/lib/semmle/python/security/strings/Common.qll b/python/ql/lib/semmle/python/security/strings/Common.qll index bb0af8b8aec..e7e542ec023 100644 --- a/python/ql/lib/semmle/python/security/strings/Common.qll +++ b/python/ql/lib/semmle/python/security/strings/Common.qll @@ -1,7 +1,7 @@ import python /* A call that returns a copy (or similar) of the argument */ -predicate copy_call(ControlFlowNode fromnode, CallNode tonode) { +deprecated predicate copy_call(ControlFlowNode fromnode, CallNode tonode) { tonode.getFunction().(AttrNode).getObject("copy") = fromnode or exists(ModuleValue copy, string name | name = "copy" or name = "deepcopy" | diff --git a/python/ql/lib/semmle/python/security/strings/External.qll b/python/ql/lib/semmle/python/security/strings/External.qll index 41638d78f18..875ccfc44bb 100644 --- a/python/ql/lib/semmle/python/security/strings/External.qll +++ b/python/ql/lib/semmle/python/security/strings/External.qll @@ -5,7 +5,7 @@ private import Common /** * An extensible kind of taint representing an externally controlled string. */ -abstract class ExternalStringKind extends StringKind { +abstract deprecated class ExternalStringKind extends StringKind { bindingset[this] ExternalStringKind() { this = this } @@ -30,7 +30,7 @@ abstract class ExternalStringKind extends StringKind { } /** A kind of "taint", representing a sequence, with a "taint" member */ -class ExternalStringSequenceKind extends SequenceKind { +deprecated class ExternalStringSequenceKind extends SequenceKind { ExternalStringSequenceKind() { this.getItem() instanceof ExternalStringKind } } @@ -38,7 +38,7 @@ class ExternalStringSequenceKind extends SequenceKind { * An hierachical dictionary or list where the entire structure is externally controlled * This is typically a parsed JSON object. */ -class ExternalJsonKind extends TaintKind { +deprecated class ExternalJsonKind extends TaintKind { ExternalJsonKind() { this = "json[" + any(ExternalStringKind key) + "]" } /** Gets the taint kind for item in this sequence */ @@ -61,7 +61,7 @@ class ExternalJsonKind extends TaintKind { } /** A kind of "taint", representing a dictionary mapping keys to tainted strings. */ -class ExternalStringDictKind extends DictKind { +deprecated class ExternalStringDictKind extends DictKind { ExternalStringDictKind() { this.getValue() instanceof ExternalStringKind } } @@ -69,12 +69,12 @@ class ExternalStringDictKind extends DictKind { * A kind of "taint", representing a dictionary mapping keys to sequences of * tainted strings. */ -class ExternalStringSequenceDictKind extends DictKind { +deprecated class ExternalStringSequenceDictKind extends DictKind { ExternalStringSequenceDictKind() { this.getValue() instanceof ExternalStringSequenceKind } } /** TaintKind for the result of `urlsplit(tainted_string)` */ -class ExternalUrlSplitResult extends ExternalStringSequenceKind { +deprecated class ExternalUrlSplitResult extends ExternalStringSequenceKind { // https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlsplit override TaintKind getTaintOfAttribute(string name) { result = super.getTaintOfAttribute(name) @@ -103,7 +103,7 @@ class ExternalUrlSplitResult extends ExternalStringSequenceKind { } /** TaintKind for the result of `urlparse(tainted_string)` */ -class ExternalUrlParseResult extends ExternalStringSequenceKind { +deprecated class ExternalUrlParseResult extends ExternalStringSequenceKind { // https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse override TaintKind getTaintOfAttribute(string name) { result = super.getTaintOfAttribute(name) @@ -134,7 +134,7 @@ class ExternalUrlParseResult extends ExternalStringSequenceKind { /* Helper for getTaintForStep() */ pragma[noinline] -private predicate json_subscript_taint( +deprecated deprecated private predicate json_subscript_taint( SubscriptNode sub, ControlFlowNode obj, ExternalJsonKind seq, TaintKind key ) { sub.isLoad() and @@ -142,12 +142,12 @@ private predicate json_subscript_taint( key = seq.getValue() } -private predicate json_load(ControlFlowNode fromnode, CallNode tonode) { +deprecated private predicate json_load(ControlFlowNode fromnode, CallNode tonode) { tonode = Value::named("json.loads").getACall() and tonode.getArg(0) = fromnode } -private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) { +deprecated private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) { // This could be implemented as `exists(FunctionValue` without the explicit six part, // but then our tests will need to import +100 modules, so for now this slightly // altered version gets to live on. @@ -166,7 +166,7 @@ private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) { ) } -private predicate urlparse(ControlFlowNode fromnode, CallNode tonode) { +deprecated private predicate urlparse(ControlFlowNode fromnode, CallNode tonode) { // This could be implemented as `exists(FunctionValue` without the explicit six part, // but then our tests will need to import +100 modules, so for now this slightly // altered version gets to live on. @@ -185,7 +185,7 @@ private predicate urlparse(ControlFlowNode fromnode, CallNode tonode) { ) } -private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) { +deprecated private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) { // This could be implemented as `exists(FunctionValue` without the explicit six part, // but then our tests will need to import +100 modules, so for now this slightly // altered version gets to live on. @@ -211,7 +211,7 @@ private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) { ) } -private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) { +deprecated private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) { // This could be implemented as `exists(FunctionValue` without the explicit six part, // but then our tests will need to import +100 modules, so for now this slightly // altered version gets to live on. @@ -238,7 +238,7 @@ private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) { } /** A kind of "taint", representing an open file-like object from an external source. */ -class ExternalFileObject extends TaintKind { +deprecated class ExternalFileObject extends TaintKind { ExternalStringKind valueKind; ExternalFileObject() { this = "file[" + valueKind + "]" } @@ -266,7 +266,7 @@ class ExternalFileObject extends TaintKind { * - `if splitres.netloc == "KNOWN_VALUE"` * - `if splitres[0] == "KNOWN_VALUE"` */ -class UrlsplitUrlparseTempSanitizer extends Sanitizer { +deprecated class UrlsplitUrlparseTempSanitizer extends Sanitizer { // TODO: remove this once we have better support for named tuples UrlsplitUrlparseTempSanitizer() { this = "UrlsplitUrlparseTempSanitizer" } diff --git a/python/ql/lib/semmle/python/security/strings/Untrusted.qll b/python/ql/lib/semmle/python/security/strings/Untrusted.qll index da8c23e7bde..2916b723a8f 100644 --- a/python/ql/lib/semmle/python/security/strings/Untrusted.qll +++ b/python/ql/lib/semmle/python/security/strings/Untrusted.qll @@ -5,6 +5,6 @@ import External * A kind of taint representing an externally controlled string. * This class is a simple sub-class of `ExternalStringKind`. */ -class UntrustedStringKind extends ExternalStringKind { +deprecated class UntrustedStringKind extends ExternalStringKind { UntrustedStringKind() { this = "externally controlled string" } }