Java: Deprecate the content of SqlTaintedLocalQuery and remove the local query variant.

2026-04-26 01:05:15 +02:00 · 2024-05-01 10:33:46 +02:00
parent b68abab12a
commit 5b89bd23c7
7 changed files with 11 additions and 32 deletions
--- a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll
@@ -12,7 +12,7 @@ private import semmle.code.java.security.Sanitizers
 * A taint-tracking configuration for reasoning about local user input that is
 * used in a SQL query.
 */
-module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
+deprecated module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
@@ -25,7 +25,9 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `QueryInjectionFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for local user input that is used in a SQL query.
 */
-module LocalUserInputToQueryInjectionFlow =
+deprecated module LocalUserInputToQueryInjectionFlow =
  TaintTracking::Global<LocalUserInputToQueryInjectionFlowConfig>;
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="SqlTainted.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -1,24 +0,0 @@
-/**
- * @name Query built from local-user-controlled sources
- * @description Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of
- *              malicious code by the user.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 8.8
- * @precision medium
- * @id java/sql-injection-local
- * @tags security
- *       external/cwe/cwe-089
- *       external/cwe/cwe-564
- */
-
-import java
-import semmle.code.java.security.SqlTaintedLocalQuery
-import LocalUserInputToQueryInjectionFlow::PathGraph
-
-from
-  LocalUserInputToQueryInjectionFlow::PathNode source,
-  LocalUserInputToQueryInjectionFlow::PathNode sink
-where LocalUserInputToQueryInjectionFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
-  "user-provided value"
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.ext.yml
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-089/SqlTainted.ql
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.qlref
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-089/SqlTaintedLocal.ql