From 5b89bd23c7afb05aaaab2ae12dcb065fdff16cf0 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 1 May 2024 10:33:46 +0200 Subject: [PATCH] Java: Deprecate the content of SqlTaintedLocalQuery and remove the local query variant. --- .../java/security/SqlTaintedLocalQuery.qll | 6 +++-- .../CWE/CWE-089/SqlTaintedLocal.qhelp | 5 ---- .../Security/CWE/CWE-089/SqlTaintedLocal.ql | 24 ------------------- ...ntedLocal.expected => SqlTainted.expected} | 0 .../semmle/examples/SqlTainted.ext.yml | 6 +++++ .../CWE-089/semmle/examples/SqlTainted.qlref | 1 + .../semmle/examples/SqlTaintedLocal.qlref | 1 - 7 files changed, 11 insertions(+), 32 deletions(-) delete mode 100644 java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.qhelp delete mode 100644 java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql rename java/ql/test/query-tests/security/CWE-089/semmle/examples/{SqlTaintedLocal.expected => SqlTainted.expected} (100%) create mode 100644 java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.ext.yml create mode 100644 java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref delete mode 100644 java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.qlref diff --git a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll index 9f32bd00b57..7ff4b300ce8 100644 --- a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll @@ -12,7 +12,7 @@ private import semmle.code.java.security.Sanitizers * A taint-tracking configuration for reasoning about local user input that is * used in a SQL query. */ -module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig { +deprecated module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput } predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } @@ -25,7 +25,9 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig { } /** + * DEPRECATED: Use `QueryInjectionFlow` instead and configure threat model sources to include `local`. + * * Taint-tracking flow for local user input that is used in a SQL query. */ -module LocalUserInputToQueryInjectionFlow = +deprecated module LocalUserInputToQueryInjectionFlow = TaintTracking::Global; diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.qhelp b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.qhelp deleted file mode 100644 index accf2aee854..00000000000 --- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.qhelp +++ /dev/null @@ -1,5 +0,0 @@ - - - diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql deleted file mode 100644 index 8b95ee597be..00000000000 --- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql +++ /dev/null @@ -1,24 +0,0 @@ -/** - * @name Query built from local-user-controlled sources - * @description Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of - * malicious code by the user. - * @kind path-problem - * @problem.severity recommendation - * @security-severity 8.8 - * @precision medium - * @id java/sql-injection-local - * @tags security - * external/cwe/cwe-089 - * external/cwe/cwe-564 - */ - -import java -import semmle.code.java.security.SqlTaintedLocalQuery -import LocalUserInputToQueryInjectionFlow::PathGraph - -from - LocalUserInputToQueryInjectionFlow::PathNode source, - LocalUserInputToQueryInjectionFlow::PathNode sink -where LocalUserInputToQueryInjectionFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(), - "user-provided value" diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected similarity index 100% rename from java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected rename to java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.ext.yml b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.ext.yml new file mode 100644 index 00000000000..63507f47738 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.ext.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/threat-models + extensible: threatModelConfiguration + data: + - ["local", true, 0] diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref new file mode 100644 index 00000000000..21a12e5eadd --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref @@ -0,0 +1 @@ +Security/CWE/CWE-089/SqlTainted.ql diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.qlref b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.qlref deleted file mode 100644 index ac5a020be5a..00000000000 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE/CWE-089/SqlTaintedLocal.ql