mirror of
https://github.com/github/codeql.git
synced 2026-05-01 19:55:15 +02:00
delete old deprecations
This commit is contained in:
erik-krogh
@@ -154,12 +154,6 @@ abstract class Container extends @container {
|
||||
*/
|
||||
string toString() { result = this.getAbsolutePath() }
|
||||
|
||||
/**
|
||||
* Gets the name of this container.
|
||||
* DEPRECATED: Use `getAbsolutePath` instead.
|
||||
*/
|
||||
deprecated string getName() { result = this.getAbsolutePath() }
|
||||
|
||||
/**
|
||||
* Gets the relative path of this file or folder from the root folder of the
|
||||
* analyzed source location. The relative path of the root folder itself is
|
||||
|
||||
@@ -664,14 +664,6 @@ module DataFlow {
|
||||
}
|
||||
}
|
||||
|
||||
deprecated private class DataFlowType extends TaintKind {
|
||||
// this only exists to avoid an empty recursion error in the type checker
|
||||
DataFlowType() {
|
||||
this = "Data flow" and
|
||||
1 = 2
|
||||
}
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate dict_construct(ControlFlowNode itemnode, ControlFlowNode dictnode) {
|
||||
dictnode.(DictNode).getAValue() = itemnode
|
||||
|
||||
@@ -534,9 +534,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django` module. */
|
||||
API::Node django() { result = API::moduleImport("django") }
|
||||
|
||||
/** DEPRECATED: Alias for `DjangoImpl` */
|
||||
deprecated module django = DjangoImpl;
|
||||
|
||||
/** Provides models for the `django` module. */
|
||||
module DjangoImpl {
|
||||
// -------------------------------------------------------------------------
|
||||
@@ -552,9 +549,6 @@ module PrivateDjango {
|
||||
DjangoDb() { this = API::moduleImport("django").getMember("db") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for `DB` */
|
||||
deprecated module db = DB;
|
||||
|
||||
/** Provides models for the `django.db` module. */
|
||||
module DB {
|
||||
/** Gets a reference to the `django.db.connection` object. */
|
||||
@@ -571,9 +565,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.db.models` module. */
|
||||
API::Node models() { result = db().getMember("models") }
|
||||
|
||||
/** DEPRECATED: Alias for `Models` */
|
||||
deprecated module models = Models;
|
||||
|
||||
/** Provides models for the `django.db.models` module. */
|
||||
module Models {
|
||||
/**
|
||||
@@ -819,9 +810,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.db.models.expressions` module. */
|
||||
API::Node expressions() { result = models().getMember("expressions") }
|
||||
|
||||
/** DEPRECATED: Alias for `Expressions` */
|
||||
deprecated module expressions = Expressions;
|
||||
|
||||
/** Provides models for the `django.db.models.expressions` module. */
|
||||
module Expressions {
|
||||
/** Provides models for the `django.db.models.expressions.RawSql` class. */
|
||||
@@ -858,9 +846,6 @@ module PrivateDjango {
|
||||
instance(DataFlow::TypeTracker::end(), sql).flowsTo(result)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for RawSql */
|
||||
deprecated module RawSQL = RawSql;
|
||||
}
|
||||
|
||||
/** This internal module provides data-flow modeling of Django ORM. */
|
||||
@@ -1099,9 +1084,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.urls` module. */
|
||||
API::Node urls() { result = django().getMember("urls") }
|
||||
|
||||
/** DEPRECATED: Alias for `Urls` */
|
||||
deprecated module urls = Urls;
|
||||
|
||||
/** Provides models for the `django.urls` module */
|
||||
module Urls {
|
||||
/**
|
||||
@@ -1123,14 +1105,8 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.conf` module. */
|
||||
API::Node conf() { result = django().getMember("conf") }
|
||||
|
||||
/** DEPRECATED: Alias for `Conf` */
|
||||
deprecated module conf = Conf;
|
||||
|
||||
/** Provides models for the `django.conf` module */
|
||||
module Conf {
|
||||
/** DEPRECATED: Alias for `ConfUrls` */
|
||||
deprecated module conf_urls = ConfUrls;
|
||||
|
||||
/** Provides models for the `django.conf.urls` module */
|
||||
module ConfUrls {
|
||||
// -------------------------------------------------------------------------
|
||||
@@ -1166,9 +1142,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.http.request` module. */
|
||||
API::Node request() { result = http().getMember("request") }
|
||||
|
||||
/** DEPRECATED: Alias for `Request` */
|
||||
deprecated module request = Request;
|
||||
|
||||
/** Provides models for the `django.http.request` module. */
|
||||
module Request {
|
||||
/**
|
||||
@@ -1331,9 +1304,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.http.response` module. */
|
||||
API::Node response() { result = http().getMember("response") }
|
||||
|
||||
/** DEPRECATED: Alias for `Response` */
|
||||
deprecated module response = Response;
|
||||
|
||||
/** Provides models for the `django.http.response` module */
|
||||
module Response {
|
||||
/**
|
||||
@@ -2189,9 +2159,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.shortcuts` module. */
|
||||
API::Node shortcuts() { result = django().getMember("shortcuts") }
|
||||
|
||||
/** DEPRECATED: Alias for `Shortcuts` */
|
||||
deprecated module shortcuts = Shortcuts;
|
||||
|
||||
/** Provides models for the `django.shortcuts` module */
|
||||
module Shortcuts {
|
||||
/**
|
||||
|
||||
@@ -37,9 +37,6 @@ private module FastApi {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ApiRouter */
|
||||
deprecated module APIRouter = ApiRouter;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// routing modeling
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -359,7 +359,4 @@ private module RestFramework {
|
||||
override string getMimetypeDefault() { none() }
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ApiException */
|
||||
deprecated module APIException = ApiException;
|
||||
}
|
||||
|
||||
@@ -169,9 +169,6 @@ module SqlAlchemy {
|
||||
DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for DBApiConnection */
|
||||
deprecated module DBAPIConnection = DBApiConnection;
|
||||
|
||||
/**
|
||||
* Provides models for the `sqlalchemy.orm.Session` class
|
||||
*
|
||||
|
||||
@@ -130,9 +130,6 @@ module Stdlib {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpMessage */
|
||||
deprecated module HTTPMessage = HttpMessage;
|
||||
|
||||
/**
|
||||
* Provides models for the `http.cookies.Morsel` class
|
||||
*
|
||||
@@ -1821,9 +1818,6 @@ private module StdlibPrivate {
|
||||
/** Gets a reference to the `BaseHttpServer` module. */
|
||||
API::Node baseHttpServer() { result = API::moduleImport("BaseHTTPServer") }
|
||||
|
||||
/** DEPRECATED: Alias for baseHttpServer */
|
||||
deprecated API::Node baseHTTPServer() { result = baseHttpServer() }
|
||||
|
||||
/** Provides models for the `BaseHttpServer` module. */
|
||||
module BaseHttpServer {
|
||||
/**
|
||||
@@ -1833,23 +1827,14 @@ private module StdlibPrivate {
|
||||
/** Gets a reference to the `BaseHttpServer.BaseHttpRequestHandler` class. */
|
||||
API::Node classRef() { result = baseHttpServer().getMember("BaseHTTPRequestHandler") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for BaseHttpRequestHandler */
|
||||
deprecated module BaseHTTPRequestHandler = BaseHttpRequestHandler;
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for BaseHttpServer */
|
||||
deprecated module BaseHTTPServer = BaseHttpServer;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// SimpleHTTPServer (Python 2 only)
|
||||
// ---------------------------------------------------------------------------
|
||||
/** Gets a reference to the `SimpleHttpServer` module. */
|
||||
API::Node simpleHttpServer() { result = API::moduleImport("SimpleHTTPServer") }
|
||||
|
||||
/** DEPRECATED: Alias for simpleHttpServer */
|
||||
deprecated API::Node simpleHTTPServer() { result = simpleHttpServer() }
|
||||
|
||||
/** Provides models for the `SimpleHttpServer` module. */
|
||||
module SimpleHttpServer {
|
||||
/**
|
||||
@@ -1859,23 +1844,14 @@ private module StdlibPrivate {
|
||||
/** Gets a reference to the `SimpleHttpServer.SimpleHttpRequestHandler` class. */
|
||||
API::Node classRef() { result = simpleHttpServer().getMember("SimpleHTTPRequestHandler") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SimpleHttpRequestHandler */
|
||||
deprecated module SimpleHTTPRequestHandler = SimpleHttpRequestHandler;
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SimpleHttpServer */
|
||||
deprecated module SimpleHTTPServer = SimpleHttpServer;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// CGIHTTPServer (Python 2 only)
|
||||
// ---------------------------------------------------------------------------
|
||||
/** Gets a reference to the `CGIHTTPServer` module. */
|
||||
API::Node cgiHttpServer() { result = API::moduleImport("CGIHTTPServer") }
|
||||
|
||||
/** DEPRECATED: Alias for cgiHttpServer */
|
||||
deprecated API::Node cgiHTTPServer() { result = cgiHttpServer() }
|
||||
|
||||
/** Provides models for the `CGIHTTPServer` module. */
|
||||
module CgiHttpServer {
|
||||
/**
|
||||
@@ -1919,9 +1895,6 @@ private module StdlibPrivate {
|
||||
API::Node classRef() { result = server().getMember("BaseHTTPRequestHandler") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for BaseHttpRequestHandler */
|
||||
deprecated module BaseHTTPRequestHandler = BaseHttpRequestHandler;
|
||||
|
||||
/**
|
||||
* Provides models for the `http.server.SimpleHTTPRequestHandler` class (Python 3 only).
|
||||
*
|
||||
@@ -1932,9 +1905,6 @@ private module StdlibPrivate {
|
||||
API::Node classRef() { result = server().getMember("SimpleHTTPRequestHandler") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SimpleHttpRequestHandler */
|
||||
deprecated module SimpleHTTPRequestHandler = SimpleHttpRequestHandler;
|
||||
|
||||
/**
|
||||
* Provides models for the `http.server.CGIHTTPRequestHandler` class (Python 3 only).
|
||||
*
|
||||
@@ -1978,9 +1948,6 @@ private module StdlibPrivate {
|
||||
HttpRequestHandlerClassDef() { this.getParent() = subclassRef().asSource().asExpr() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpRequestHandlerClassDef */
|
||||
deprecated class HTTPRequestHandlerClassDef = HttpRequestHandlerClassDef;
|
||||
|
||||
/**
|
||||
* A source of instances of the `BaseHTTPRequestHandler` class or any subclass, extend this class to model new instances.
|
||||
*
|
||||
@@ -2352,9 +2319,6 @@ private module StdlibPrivate {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpConnection */
|
||||
deprecated module HTTPConnection = HttpConnection;
|
||||
|
||||
/**
|
||||
* Provides models for the `http.client.HTTPResponse` class
|
||||
*
|
||||
@@ -2424,9 +2388,6 @@ private module StdlibPrivate {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpResponse */
|
||||
deprecated module HTTPResponse = HttpResponse;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// sqlite3
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -64,9 +64,6 @@ module Tornado {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpHeaders */
|
||||
deprecated module HTTPHeaders = HttpHeaders;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// tornado
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -1445,14 +1445,6 @@ module Expressions {
|
||||
)
|
||||
}
|
||||
|
||||
deprecated predicate subscriptPointsTo(
|
||||
SubscriptNode subscr, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode obj, ObjectInternal objvalue
|
||||
) {
|
||||
subscriptPointsTo(subscr, context, value, obj, objvalue) and
|
||||
origin = subscr
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate subscriptPointsTo(
|
||||
SubscriptNode subscr, PointsToContext context, ObjectInternal value, ControlFlowNode obj,
|
||||
@@ -1489,14 +1481,6 @@ module Expressions {
|
||||
index = subscr.getIndex()
|
||||
}
|
||||
|
||||
deprecated predicate binaryPointsTo(
|
||||
BinaryExprNode b, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode operand, ObjectInternal opvalue
|
||||
) {
|
||||
binaryPointsTo(b, context, value, operand, opvalue) and
|
||||
origin = b
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracking too many binary expressions is likely to kill performance, so just say anything other than addition or bitwise or is 'unknown'.
|
||||
*/
|
||||
@@ -1521,14 +1505,6 @@ module Expressions {
|
||||
)
|
||||
}
|
||||
|
||||
deprecated predicate addPointsTo(
|
||||
BinaryExprNode b, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode operand, ObjectInternal opvalue
|
||||
) {
|
||||
addPointsTo(b, context, value, operand, opvalue) and
|
||||
origin = b
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate addPointsTo(
|
||||
BinaryExprNode b, PointsToContext context, ObjectInternal value, ControlFlowNode operand,
|
||||
@@ -1545,14 +1521,6 @@ module Expressions {
|
||||
)
|
||||
}
|
||||
|
||||
deprecated predicate bitOrPointsTo(
|
||||
BinaryExprNode b, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode operand, ObjectInternal opvalue
|
||||
) {
|
||||
bitOrPointsTo(b, context, value, operand, opvalue) and
|
||||
origin = b
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate bitOrPointsTo(
|
||||
BinaryExprNode b, PointsToContext context, ObjectInternal value, ControlFlowNode operand,
|
||||
@@ -1577,14 +1545,6 @@ module Expressions {
|
||||
value = obj.intValue()
|
||||
}
|
||||
|
||||
deprecated predicate unaryPointsTo(
|
||||
UnaryExprNode u, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode operand, ObjectInternal opvalue
|
||||
) {
|
||||
unaryPointsTo(u, context, value, operand, opvalue) and
|
||||
origin = u
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate unaryPointsTo(
|
||||
UnaryExprNode u, PointsToContext context, ObjectInternal value, ControlFlowNode operand,
|
||||
@@ -1603,14 +1563,6 @@ module Expressions {
|
||||
)
|
||||
}
|
||||
|
||||
deprecated predicate builtinCallPointsTo(
|
||||
CallNode call, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode arg, ObjectInternal argvalue
|
||||
) {
|
||||
builtinCallPointsTo(call, context, value, arg, argvalue) and
|
||||
origin = call
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate builtinCallPointsTo(
|
||||
CallNode call, PointsToContext context, ObjectInternal value, ControlFlowNode arg,
|
||||
|
||||
@@ -1,54 +0,0 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.SensitiveData
|
||||
import semmle.python.dataflow.Files
|
||||
import semmle.python.web.Http
|
||||
|
||||
deprecated module ClearTextStorage {
|
||||
abstract class Sink extends TaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof SensitiveData }
|
||||
}
|
||||
|
||||
class CookieStorageSink extends Sink {
|
||||
CookieStorageSink() { any(CookieSet cookie).getValue() = this }
|
||||
}
|
||||
|
||||
class FileStorageSink extends Sink {
|
||||
FileStorageSink() {
|
||||
exists(CallNode call, AttrNode meth, string name |
|
||||
any(OpenFile fd).taints(meth.getObject(name)) and
|
||||
call.getFunction() = meth and
|
||||
call.getAnArg() = this
|
||||
|
|
||||
name = "write"
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
deprecated module ClearTextLogging {
|
||||
abstract class Sink extends TaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof SensitiveData }
|
||||
}
|
||||
|
||||
class PrintSink extends Sink {
|
||||
PrintSink() {
|
||||
exists(CallNode call |
|
||||
call.getAnArg() = this and
|
||||
call = Value::named("print").getACall()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
class LoggingSink extends Sink {
|
||||
LoggingSink() {
|
||||
exists(CallNode call, AttrNode meth, string name |
|
||||
call.getFunction() = meth and
|
||||
meth.getObject(name).(NameNode).getId().matches("logg%") and
|
||||
call.getAnArg() = this
|
||||
|
|
||||
name = ["error", "warn", "warning", "debug", "info"]
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,139 +0,0 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
private import semmle.python.security.SensitiveData
|
||||
private import semmle.crypto.Crypto as CryptoLib
|
||||
|
||||
abstract deprecated class WeakCryptoSink extends TaintSink {
|
||||
override predicate sinks(TaintKind taint) { taint instanceof SensitiveData }
|
||||
}
|
||||
|
||||
/** Modeling the 'pycrypto' package https://github.com/dlitz/pycrypto (latest release 2013) */
|
||||
deprecated module Pycrypto {
|
||||
ModuleValue cipher(string name) { result = Module::named("Crypto.Cipher").attr(name) }
|
||||
|
||||
class CipherInstance extends TaintKind {
|
||||
string name;
|
||||
|
||||
CipherInstance() {
|
||||
this = "Crypto.Cipher." + name and
|
||||
exists(cipher(name))
|
||||
}
|
||||
|
||||
string getName() { result = name }
|
||||
|
||||
CryptoLib::CryptographicAlgorithm getAlgorithm() { result.getName() = name }
|
||||
|
||||
predicate isWeak() { this.getAlgorithm().isWeak() }
|
||||
}
|
||||
|
||||
class CipherInstanceSource extends TaintSource {
|
||||
CipherInstance instance;
|
||||
|
||||
CipherInstanceSource() {
|
||||
exists(AttrNode attr |
|
||||
this.(CallNode).getFunction() = attr and
|
||||
attr.getObject("new").pointsTo(cipher(instance.getName()))
|
||||
)
|
||||
}
|
||||
|
||||
override string toString() { result = "Source of " + instance }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind = instance }
|
||||
}
|
||||
|
||||
class PycryptoWeakCryptoSink extends WeakCryptoSink {
|
||||
string name;
|
||||
|
||||
PycryptoWeakCryptoSink() {
|
||||
exists(CallNode call, AttrNode method, CipherInstance cipher |
|
||||
call.getAnArg() = this and
|
||||
call.getFunction() = method and
|
||||
cipher.taints(method.getObject("encrypt")) and
|
||||
cipher.isWeak() and
|
||||
cipher.getName() = name
|
||||
)
|
||||
}
|
||||
|
||||
override string toString() { result = "Use of weak crypto algorithm " + name }
|
||||
}
|
||||
}
|
||||
|
||||
deprecated module Cryptography {
|
||||
ModuleValue ciphers() {
|
||||
result = Module::named("cryptography.hazmat.primitives.ciphers") and
|
||||
result.isPackage()
|
||||
}
|
||||
|
||||
class CipherClass extends ClassValue {
|
||||
CipherClass() { ciphers().attr("Cipher") = this }
|
||||
}
|
||||
|
||||
class AlgorithmClass extends ClassValue {
|
||||
AlgorithmClass() { ciphers().attr("algorithms").attr(_) = this }
|
||||
|
||||
string getAlgorithmName() { result = this.declaredAttribute("name").(StringValue).getText() }
|
||||
|
||||
predicate isWeak() {
|
||||
exists(CryptoLib::CryptographicAlgorithm algo |
|
||||
algo.getName() = this.getAlgorithmName() and
|
||||
algo.isWeak()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
class CipherInstance extends TaintKind {
|
||||
AlgorithmClass cls;
|
||||
|
||||
CipherInstance() { this = "cryptography.Cipher." + cls.getAlgorithmName() }
|
||||
|
||||
AlgorithmClass getAlgorithm() { result = cls }
|
||||
|
||||
predicate isWeak() { cls.isWeak() }
|
||||
|
||||
override TaintKind getTaintOfMethodResult(string name) {
|
||||
name = "encryptor" and
|
||||
result.(Encryptor).getAlgorithm() = this.getAlgorithm()
|
||||
}
|
||||
}
|
||||
|
||||
class CipherSource extends TaintSource {
|
||||
CipherSource() { this.(CallNode).getFunction().pointsTo(any(CipherClass cls)) }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) {
|
||||
this.(CallNode).getArg(0).pointsTo().getClass() = kind.(CipherInstance).getAlgorithm()
|
||||
}
|
||||
|
||||
override string toString() { result = "cryptography.Cipher.source" }
|
||||
}
|
||||
|
||||
class Encryptor extends TaintKind {
|
||||
AlgorithmClass cls;
|
||||
|
||||
Encryptor() { this = "cryptography.encryptor." + cls.getAlgorithmName() }
|
||||
|
||||
AlgorithmClass getAlgorithm() { result = cls }
|
||||
}
|
||||
|
||||
class CryptographyWeakCryptoSink extends WeakCryptoSink {
|
||||
CryptographyWeakCryptoSink() {
|
||||
exists(CallNode call, AttrNode method, Encryptor encryptor |
|
||||
call.getAnArg() = this and
|
||||
call.getFunction() = method and
|
||||
encryptor.taints(method.getObject("update")) and
|
||||
encryptor.getAlgorithm().isWeak()
|
||||
)
|
||||
}
|
||||
|
||||
override string toString() { result = "Use of weak crypto algorithm" }
|
||||
}
|
||||
}
|
||||
|
||||
deprecated private class CipherConfig extends TaintTracking::Configuration {
|
||||
CipherConfig() { this = "Crypto cipher config" }
|
||||
|
||||
override predicate isSource(TaintTracking::Source source) {
|
||||
source instanceof Pycrypto::CipherInstanceSource
|
||||
or
|
||||
source instanceof Cryptography::CipherSource
|
||||
}
|
||||
}
|
||||
@@ -1,118 +0,0 @@
|
||||
/**
|
||||
* Provides classes and predicates for identifying sensitive data and methods for security.
|
||||
*
|
||||
* 'Sensitive' data in general is anything that should not be sent around in unencrypted form. This
|
||||
* library tries to guess where sensitive data may either be stored in a variable or produced by a
|
||||
* method.
|
||||
*
|
||||
* In addition, there are methods that ought not to be executed or not in a fashion that the user
|
||||
* can control. This includes authorization methods such as logins, and sending of data, etc.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.internal.SensitiveDataHeuristics
|
||||
private import HeuristicNames
|
||||
|
||||
abstract deprecated class SensitiveData extends TaintKind {
|
||||
bindingset[this]
|
||||
SensitiveData() { this = this }
|
||||
|
||||
/** Gets the classification of this sensitive data taint kind. */
|
||||
abstract SensitiveDataClassification getClassification();
|
||||
}
|
||||
|
||||
deprecated module SensitiveData {
|
||||
class Secret extends SensitiveData {
|
||||
Secret() { this = "sensitive.data.secret" }
|
||||
|
||||
override string repr() { result = "a secret" }
|
||||
|
||||
override SensitiveDataClassification getClassification() {
|
||||
result = SensitiveDataClassification::secret()
|
||||
}
|
||||
}
|
||||
|
||||
class Id extends SensitiveData {
|
||||
Id() { this = "sensitive.data.id" }
|
||||
|
||||
override string repr() { result = "an ID" }
|
||||
|
||||
override SensitiveDataClassification getClassification() {
|
||||
result = SensitiveDataClassification::id()
|
||||
}
|
||||
}
|
||||
|
||||
class Password extends SensitiveData {
|
||||
Password() { this = "sensitive.data.password" }
|
||||
|
||||
override string repr() { result = "a password" }
|
||||
|
||||
override SensitiveDataClassification getClassification() {
|
||||
result = SensitiveDataClassification::password()
|
||||
}
|
||||
}
|
||||
|
||||
class Certificate extends SensitiveData {
|
||||
Certificate() { this = "sensitive.data.certificate" }
|
||||
|
||||
override string repr() { result = "a certificate or key" }
|
||||
|
||||
override SensitiveDataClassification getClassification() {
|
||||
result = SensitiveDataClassification::certificate()
|
||||
}
|
||||
}
|
||||
|
||||
private SensitiveData fromFunction(Value func) {
|
||||
nameIndicatesSensitiveData(func.getName(), result.getClassification())
|
||||
}
|
||||
|
||||
abstract class Source extends TaintSource {
|
||||
abstract string repr();
|
||||
}
|
||||
|
||||
private class SensitiveCallSource extends Source {
|
||||
SensitiveData data;
|
||||
|
||||
SensitiveCallSource() {
|
||||
exists(Value callee | callee.getACall() = this | data = fromFunction(callee))
|
||||
}
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind = data }
|
||||
|
||||
override string repr() { result = "a call returning " + data.repr() }
|
||||
}
|
||||
|
||||
/** An access to a variable or property that might contain sensitive data. */
|
||||
private class SensitiveVariableAccess extends SensitiveData::Source {
|
||||
SensitiveData data;
|
||||
|
||||
SensitiveVariableAccess() {
|
||||
nameIndicatesSensitiveData(this.(AttrNode).getName(), data.getClassification())
|
||||
}
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind = data }
|
||||
|
||||
override string repr() { result = "an attribute or property containing " + data.repr() }
|
||||
}
|
||||
|
||||
private class SensitiveRequestParameter extends SensitiveData::Source {
|
||||
SensitiveData data;
|
||||
|
||||
SensitiveRequestParameter() {
|
||||
this.(CallNode).getFunction().(AttrNode).getName() = "get" and
|
||||
exists(StringValue sensitive |
|
||||
this.(CallNode).getAnArg().pointsTo(sensitive) and
|
||||
nameIndicatesSensitiveData(sensitive.getText(), data.getClassification())
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind = data }
|
||||
|
||||
override string repr() { result = "a request parameter containing " + data.repr() }
|
||||
}
|
||||
}
|
||||
|
||||
//Backwards compatibility
|
||||
deprecated class SensitiveDataSource = SensitiveData::Source;
|
||||
@@ -1,95 +0,0 @@
|
||||
/**
|
||||
* DEPRECATED -- use flow state instead
|
||||
*
|
||||
* This defines a `PathGraph` where sinks from `TaintTracking::Configuration`s are identified with
|
||||
* sources from `TaintTracking2::Configuration`s if they represent the same `ControlFlowNode`.
|
||||
*
|
||||
* Paths are then connected appropriately.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.DataFlow2
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
import semmle.python.dataflow.new.TaintTracking2
|
||||
|
||||
/**
|
||||
* A `DataFlow::Node` that appears as a sink in Config1 and a source in Config2.
|
||||
*/
|
||||
private predicate crossoverNode(DataFlow::Node n) {
|
||||
any(TaintTracking::Configuration t1).isSink(n) and
|
||||
any(TaintTracking2::Configuration t2).isSource(n)
|
||||
}
|
||||
|
||||
/**
|
||||
* A new type which represents the union of the two sets of nodes.
|
||||
*/
|
||||
private newtype TCustomPathNode =
|
||||
Config1Node(DataFlow::PathNode node1) { not crossoverNode(node1.getNode()) } or
|
||||
Config2Node(DataFlow2::PathNode node2) { not crossoverNode(node2.getNode()) } or
|
||||
CrossoverNode(DataFlow::Node node) { crossoverNode(node) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use flow state instead
|
||||
*
|
||||
* A class representing the set of all the path nodes in either config.
|
||||
*/
|
||||
deprecated class CustomPathNode extends TCustomPathNode {
|
||||
/** Gets the PathNode if it is in Config1. */
|
||||
DataFlow::PathNode asNode1() {
|
||||
this = Config1Node(result) or this = CrossoverNode(result.getNode())
|
||||
}
|
||||
|
||||
/** Gets the PathNode if it is in Config2. */
|
||||
DataFlow2::PathNode asNode2() {
|
||||
this = Config2Node(result) or this = CrossoverNode(result.getNode())
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this element is at the specified location.
|
||||
* The location spans column `startcolumn` of line `startline` to
|
||||
* column `endcolumn` of line `endline` in file `filepath`.
|
||||
* For more information, see
|
||||
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
|
||||
*/
|
||||
predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
this.asNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
or
|
||||
this.asNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
}
|
||||
|
||||
/** Gets a textual representation of this element. */
|
||||
string toString() {
|
||||
result = this.asNode1().toString()
|
||||
or
|
||||
result = this.asNode2().toString()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use flow state instead
|
||||
*
|
||||
* Holds if `(a,b)` is an edge in the graph of data flow path explanations.
|
||||
*/
|
||||
deprecated query predicate edges(CustomPathNode a, CustomPathNode b) {
|
||||
// Edge is in Config1 graph
|
||||
DataFlow::PathGraph::edges(a.asNode1(), b.asNode1())
|
||||
or
|
||||
// Edge is in Config2 graph
|
||||
DataFlow2::PathGraph::edges(a.asNode2(), b.asNode2())
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use flow state instead
|
||||
*
|
||||
* Holds if `n` is a node in the graph of data flow path explanations.
|
||||
*/
|
||||
deprecated query predicate nodes(CustomPathNode n, string key, string val) {
|
||||
// Node is in Config1 graph
|
||||
DataFlow::PathGraph::nodes(n.asNode1(), key, val)
|
||||
or
|
||||
// Node is in Config2 graph
|
||||
DataFlow2::PathGraph::nodes(n.asNode2(), key, val)
|
||||
}
|
||||
@@ -1,14 +0,0 @@
|
||||
/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
|
||||
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.dataflow.new.TaintTracking
|
||||
private import semmle.python.Concepts
|
||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||
private import semmle.python.dataflow.new.BarrierGuards
|
||||
private import semmle.python.dataflow.new.SensitiveDataSources
|
||||
|
||||
/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
|
||||
deprecated module CleartextLogging {
|
||||
import CleartextLoggingQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,14 +0,0 @@
|
||||
/** DEPRECATED. Import `CleartextStorageQuery` instead. */
|
||||
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.dataflow.new.TaintTracking
|
||||
private import semmle.python.Concepts
|
||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||
private import semmle.python.dataflow.new.BarrierGuards
|
||||
private import semmle.python.dataflow.new.SensitiveDataSources
|
||||
|
||||
/** DEPRECATED. Import `CleartextStorageQuery` instead. */
|
||||
deprecated module CleartextStorage {
|
||||
import CleartextStorageQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,13 +0,0 @@
|
||||
/** DEPRECATED. Import `CodeInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `CodeInjectionQuery` instead. */
|
||||
deprecated module CodeInjection {
|
||||
import CodeInjectionQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `CodeInjectionQuery` instead. */
|
||||
deprecated class CodeInjectionConfiguration = CodeInjection::Configuration;
|
||||
@@ -1,13 +0,0 @@
|
||||
/** DEPRECATED. Import `CommandInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `CommandInjectionQuery` instead. */
|
||||
deprecated module CommandInjection {
|
||||
import CommandInjectionQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `CommandInjectionQuery` instead. */
|
||||
deprecated class CommandInjectionConfiguration = CommandInjection::Configuration;
|
||||
@@ -1,12 +0,0 @@
|
||||
/** DEPRECATED. Import `LdapInjectionQuery` instead. */
|
||||
|
||||
import python
|
||||
import semmle.python.Concepts
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
import semmle.python.dataflow.new.RemoteFlowSources
|
||||
|
||||
/** DEPRECATED. Import `LdapInjectionQuery` instead. */
|
||||
deprecated module LdapInjection {
|
||||
import LdapInjectionQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
/** DEPRECATED. Import `LogInjectionQuery` instead. */
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `LogInjectionQuery` instead. */
|
||||
deprecated module LogInjection {
|
||||
import LogInjectionQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,133 +0,0 @@
|
||||
/** DEPRECATED. Import `PathInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
private import semmle.python.Concepts
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `PathInjectionQuery` instead. */
|
||||
deprecated module PathInjection {
|
||||
import PathInjectionQuery // ignore-query-import
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Old, deprecated code
|
||||
// ---------------------------------------------------------------------------
|
||||
private import semmle.python.dataflow.new.DataFlow2
|
||||
private import semmle.python.dataflow.new.TaintTracking2
|
||||
private import ChainedConfigs12
|
||||
import PathInjectionCustomizations::PathInjection
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Case 1. The path is never normalized.
|
||||
// ---------------------------------------------------------------------------
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Configuration to find paths from sources to sinks that contain no normalization.
|
||||
*/
|
||||
deprecated class PathNotNormalizedConfiguration extends TaintTracking::Configuration {
|
||||
PathNotNormalizedConfiguration() { this = "PathNotNormalizedConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node instanceof Sanitizer
|
||||
or
|
||||
node instanceof Path::PathNormalization
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Holds if there is a path injection from source to sink, where the (python) path is
|
||||
* not normalized.
|
||||
*/
|
||||
deprecated predicate pathNotNormalized(CustomPathNode source, CustomPathNode sink) {
|
||||
any(PathNotNormalizedConfiguration config).hasFlowPath(source.asNode1(), sink.asNode1())
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Case 2. The path is normalized at least once, but never checked afterwards.
|
||||
// ---------------------------------------------------------------------------
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Configuration to find paths from sources to normalizations that contain no prior normalizations.
|
||||
*/
|
||||
deprecated class FirstNormalizationConfiguration extends TaintTracking::Configuration {
|
||||
FirstNormalizationConfiguration() { this = "FirstNormalizationConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization }
|
||||
|
||||
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Configuration to find paths from normalizations to sinks that do not go through a check.
|
||||
*/
|
||||
deprecated class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuration {
|
||||
NormalizedPathNotCheckedConfiguration() { this = "NormalizedPathNotCheckedConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Path::PathNormalization }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node instanceof Path::SafeAccessCheck
|
||||
or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Holds if there is a path injection from source to sink, where the (python) path is
|
||||
* normalized at least once, but never checked afterwards.
|
||||
*/
|
||||
deprecated predicate pathNotCheckedAfterNormalization(CustomPathNode source, CustomPathNode sink) {
|
||||
exists(
|
||||
FirstNormalizationConfiguration config, DataFlow::PathNode mid1, DataFlow2::PathNode mid2,
|
||||
NormalizedPathNotCheckedConfiguration config2
|
||||
|
|
||||
config.hasFlowPath(source.asNode1(), mid1) and
|
||||
config2.hasFlowPath(mid2, sink.asNode2()) and
|
||||
mid1.getNode().asCfgNode() = mid2.getNode().asCfgNode()
|
||||
)
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Query: Either case 1 or case 2.
|
||||
// ---------------------------------------------------------------------------
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Holds if there is a path injection from source to sink
|
||||
*/
|
||||
deprecated predicate pathInjection(CustomPathNode source, CustomPathNode sink) {
|
||||
pathNotNormalized(source, sink)
|
||||
or
|
||||
pathNotCheckedAfterNormalization(source, sink)
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
/** DEPRECATED. Import `PolynomialReDoSQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `PolynomialReDoSQuery` instead. */
|
||||
deprecated module PolynomialReDoS {
|
||||
import PolynomialReDoSQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
|
||||
deprecated module ReflectedXss {
|
||||
import ReflectedXssQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
|
||||
deprecated module ReflectedXSS = ReflectedXss;
|
||||
|
||||
/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
|
||||
deprecated class ReflectedXssConfiguration = ReflectedXss::Configuration;
|
||||
@@ -76,6 +76,3 @@ module ReflectedXss {
|
||||
*/
|
||||
class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ReflectedXss */
|
||||
deprecated module ReflectedXSS = ReflectedXss;
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
/** DEPRECATED. Import `RegexInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `RegexInjectionQuery` instead. */
|
||||
deprecated module RegexInjection {
|
||||
import RegexInjectionQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,25 +0,0 @@
|
||||
/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
import semmle.python.Concepts
|
||||
import ServerSideRequestForgeryQuery as ServerSideRequestForgeryQuery // ignore-query-import
|
||||
|
||||
/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
|
||||
deprecated module FullServerSideRequestForgery {
|
||||
import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
|
||||
|
||||
class Configuration = ServerSideRequestForgeryQuery::FullServerSideRequestForgeryConfiguration;
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
|
||||
deprecated predicate fullyControlledRequest =
|
||||
ServerSideRequestForgeryQuery::fullyControlledRequest/1;
|
||||
|
||||
/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
|
||||
deprecated module PartialServerSideRequestForgery {
|
||||
import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
|
||||
|
||||
class Configuration = ServerSideRequestForgeryQuery::PartialServerSideRequestForgeryConfiguration;
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
/** DEPRECATED. Import `SqlInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `SqlInjectionQuery` instead. */
|
||||
deprecated module SqlInjection {
|
||||
import SqlInjectionQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `SqlInjectionQuery` instead. */
|
||||
deprecated class SqlInjectionConfiguration = SqlInjection::Configuration;
|
||||
|
||||
/** DEPRECATED. Import `SqlInjectionQuery` instead. */
|
||||
deprecated class SQLInjectionConfiguration = SqlInjectionConfiguration;
|
||||
@@ -1,13 +0,0 @@
|
||||
/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
|
||||
deprecated module StackTraceExposure {
|
||||
import StackTraceExposureQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
|
||||
deprecated class StackTraceExposureConfiguration = StackTraceExposure::Configuration;
|
||||
@@ -1,13 +0,0 @@
|
||||
/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
|
||||
deprecated module UnsafeDeserialization {
|
||||
import UnsafeDeserializationQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
|
||||
deprecated class UnsafeDeserializationConfiguration = UnsafeDeserialization::Configuration;
|
||||
@@ -1,13 +0,0 @@
|
||||
/** DEPRECATED. Import `UrlRedirectQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `UrlRedirectQuery` instead. */
|
||||
deprecated module UrlRedirect {
|
||||
import UrlRedirectQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `UrlRedirectQuery` instead. */
|
||||
deprecated class UrlRedirectConfiguration = UrlRedirect::Configuration;
|
||||
@@ -1,19 +0,0 @@
|
||||
/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
|
||||
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.dataflow.new.TaintTracking
|
||||
private import semmle.python.Concepts
|
||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||
private import semmle.python.dataflow.new.BarrierGuards
|
||||
private import semmle.python.dataflow.new.SensitiveDataSources
|
||||
|
||||
/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
|
||||
deprecated module NormalHashFunction {
|
||||
import WeakSensitiveDataHashingQuery::NormalHashFunction // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
|
||||
deprecated module ComputationallyExpensiveHashFunction {
|
||||
import WeakSensitiveDataHashingQuery::ComputationallyExpensiveHashFunction // ignore-query-import
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
/** DEPRECATED. Import `XpathInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `XpathInjectionQuery` instead. */
|
||||
deprecated module XpathInjection {
|
||||
import XpathInjectionQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
import python
|
||||
import semmle.python.security.strings.Basic
|
||||
|
||||
/** Assume that taint flows from argument to result for *any* call */
|
||||
deprecated class AnyCallStringFlow extends DataFlowExtension::DataFlowNode {
|
||||
AnyCallStringFlow() { any(CallNode call).getAnArg() = this }
|
||||
|
||||
override ControlFlowNode getASuccessorNode() { result.(CallNode).getAnArg() = this }
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
/** `pickle.loads(untrusted)` vulnerability. */
|
||||
abstract deprecated class DeserializationSink extends TaintSink {
|
||||
bindingset[this]
|
||||
DeserializationSink() { this = this }
|
||||
}
|
||||
@@ -1,29 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious Python code.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
/**
|
||||
* A taint sink that represents an argument to exec or eval that is vulnerable to malicious input.
|
||||
* The `vuln` in `exec(vuln)` or similar.
|
||||
*/
|
||||
deprecated class StringEvaluationNode extends TaintSink {
|
||||
override string toString() { result = "exec or eval" }
|
||||
|
||||
StringEvaluationNode() {
|
||||
exists(Exec exec | exec.getASubExpression().getAFlowNode() = this)
|
||||
or
|
||||
Value::named("exec").getACall().getAnArg() = this
|
||||
or
|
||||
Value::named("eval").getACall().getAnArg() = this
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,33 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious marshals.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
deprecated private FunctionObject marshalLoads() {
|
||||
result = ModuleObject::named("marshal").attr("loads")
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint sink that is potentially vulnerable to malicious marshaled objects.
|
||||
* The `vuln` in `marshal.loads(vuln)`.
|
||||
*/
|
||||
deprecated class UnmarshalingNode extends DeserializationSink {
|
||||
override string toString() { result = "unmarshaling vulnerability" }
|
||||
|
||||
UnmarshalingNode() {
|
||||
exists(CallNode call |
|
||||
marshalLoads().getACall() = call and
|
||||
call.getAnArg() = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,81 +0,0 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
/**
|
||||
* Prevents taint flowing through ntpath.normpath()
|
||||
* NormalizedPath below handles that case.
|
||||
*/
|
||||
deprecated class PathSanitizer extends Sanitizer {
|
||||
PathSanitizer() { this = "path.sanitizer" }
|
||||
|
||||
override predicate sanitizingNode(TaintKind taint, ControlFlowNode node) {
|
||||
taint instanceof ExternalStringKind and
|
||||
abspath_call(node, _)
|
||||
}
|
||||
}
|
||||
|
||||
deprecated private FunctionObject abspath() {
|
||||
exists(ModuleObject os_path | ModuleObject::named("os").attr("path") = os_path |
|
||||
os_path.attr("abspath") = result
|
||||
or
|
||||
os_path.attr("normpath") = result
|
||||
)
|
||||
}
|
||||
|
||||
/** A path that has been normalized, but not verified to be safe */
|
||||
deprecated class NormalizedPath extends TaintKind {
|
||||
NormalizedPath() { this = "normalized.path.injection" }
|
||||
|
||||
override string repr() { result = "normalized path" }
|
||||
}
|
||||
|
||||
deprecated private predicate abspath_call(CallNode call, ControlFlowNode arg) {
|
||||
call.getFunction().refersTo(abspath()) and
|
||||
arg = call.getArg(0)
|
||||
}
|
||||
|
||||
deprecated class AbsPath extends DataFlowExtension::DataFlowNode {
|
||||
AbsPath() { abspath_call(_, this) }
|
||||
|
||||
override ControlFlowNode getASuccessorNode(TaintKind fromkind, TaintKind tokind) {
|
||||
abspath_call(result, this) and
|
||||
tokind instanceof NormalizedPath and
|
||||
fromkind instanceof ExternalStringKind
|
||||
}
|
||||
}
|
||||
|
||||
deprecated class NormalizedPathSanitizer extends Sanitizer {
|
||||
NormalizedPathSanitizer() { this = "normalized.path.sanitizer" }
|
||||
|
||||
override predicate sanitizingEdge(TaintKind taint, PyEdgeRefinement test) {
|
||||
taint instanceof NormalizedPath and
|
||||
test.getTest().(CallNode).getFunction().(AttrNode).getName() = "startswith" and
|
||||
test.getSense() = true
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint sink that is vulnerable to malicious paths.
|
||||
* The `vuln` in `open(vuln)` and similar.
|
||||
*/
|
||||
deprecated class OpenNode extends TaintSink {
|
||||
override string toString() { result = "argument to open()" }
|
||||
|
||||
OpenNode() {
|
||||
exists(CallNode call |
|
||||
call = Value::named("open").getACall() and
|
||||
(
|
||||
call.getArg(0) = this
|
||||
or
|
||||
call.getArgByName("file") = this
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) {
|
||||
kind instanceof ExternalStringKind
|
||||
or
|
||||
kind instanceof NormalizedPath
|
||||
}
|
||||
}
|
||||
@@ -1,36 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious pickles.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
deprecated private ModuleObject pickleModule() {
|
||||
result.getName() = "pickle"
|
||||
or
|
||||
result.getName() = "cPickle"
|
||||
or
|
||||
result.getName() = "dill"
|
||||
}
|
||||
|
||||
deprecated private FunctionObject pickleLoads() { result = pickleModule().attr("loads") }
|
||||
|
||||
/** `pickle.loads(untrusted)` vulnerability. */
|
||||
deprecated class UnpicklingNode extends DeserializationSink {
|
||||
override string toString() { result = "unpickling untrusted data" }
|
||||
|
||||
UnpicklingNode() {
|
||||
exists(CallNode call |
|
||||
pickleLoads().getACall() = call and
|
||||
call.getAnArg() = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
/** DEPRECATED: use semmle.python.security.dataflow.RegexInjection instead. */
|
||||
|
||||
private import semmle.python.security.dataflow.RegexInjection as New
|
||||
|
||||
/** DEPRECATED: use semmle.python.security.dataflow.RegexInjection instead. */
|
||||
deprecated module RegexInjection = New::RegexInjection;
|
||||
@@ -1,6 +0,0 @@
|
||||
/** DEPRECATED: use semmle.python.security.dataflow.RegexInjectionCustomizations instead. */
|
||||
|
||||
private import semmle.python.security.dataflow.RegexInjectionCustomizations as New
|
||||
|
||||
/** DEPRECATED: use semmle.python.security.dataflow.RegexInjectionCustomizations instead. */
|
||||
deprecated module RegexInjection = New::RegexInjection;
|
||||
@@ -1,70 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious XML objects.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
deprecated private ModuleObject xmlElementTreeModule() {
|
||||
result.getName() = "xml.etree.ElementTree"
|
||||
}
|
||||
|
||||
deprecated private ModuleObject xmlMiniDomModule() { result.getName() = "xml.dom.minidom" }
|
||||
|
||||
deprecated private ModuleObject xmlPullDomModule() { result.getName() = "xml.dom.pulldom" }
|
||||
|
||||
deprecated private ModuleObject xmlSaxModule() { result.getName() = "xml.sax" }
|
||||
|
||||
deprecated private class ExpatParser extends TaintKind {
|
||||
ExpatParser() { this = "expat.parser" }
|
||||
}
|
||||
|
||||
deprecated private FunctionObject expatCreateParseFunction() {
|
||||
result = ModuleObject::named("xml.parsers.expat").attr("ParserCreate")
|
||||
}
|
||||
|
||||
deprecated private class ExpatCreateParser extends TaintSource {
|
||||
ExpatCreateParser() { expatCreateParseFunction().getACall() = this }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExpatParser }
|
||||
|
||||
override string toString() { result = "expat.create.parser" }
|
||||
}
|
||||
|
||||
deprecated private FunctionObject xmlFromString() {
|
||||
result = xmlElementTreeModule().attr("fromstring")
|
||||
or
|
||||
result = xmlMiniDomModule().attr("parseString")
|
||||
or
|
||||
result = xmlPullDomModule().attr("parseString")
|
||||
or
|
||||
result = xmlSaxModule().attr("parseString")
|
||||
}
|
||||
|
||||
/** A (potentially) malicious XML string. */
|
||||
deprecated class ExternalXmlString extends ExternalStringKind {
|
||||
ExternalXmlString() { this = "external xml encoded object" }
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to an XML library function that is potentially vulnerable to a
|
||||
* specially crafted XML string.
|
||||
*/
|
||||
deprecated class XmlLoadNode extends DeserializationSink {
|
||||
override string toString() { result = "xml.load vulnerability" }
|
||||
|
||||
XmlLoadNode() {
|
||||
exists(CallNode call | call.getAnArg() = this |
|
||||
xmlFromString().getACall() = call or
|
||||
any(ExpatParser parser).taints(call.getFunction().(AttrNode).getObject("Parse"))
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalXmlString }
|
||||
}
|
||||
@@ -1,28 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious yaml-encoded objects.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
deprecated private FunctionObject yamlLoad() { result = ModuleObject::named("yaml").attr("load") }
|
||||
|
||||
/** `yaml.load(untrusted)` vulnerability. */
|
||||
deprecated class YamlLoadNode extends DeserializationSink {
|
||||
override string toString() { result = "yaml.load vulnerability" }
|
||||
|
||||
YamlLoadNode() {
|
||||
exists(CallNode call |
|
||||
yamlLoad().getACall() = call and
|
||||
call.getAnArg() = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -14,7 +14,6 @@ import python
|
||||
private import semmle.python.pointsto.PointsTo
|
||||
private import semmle.python.pointsto.PointsToContext
|
||||
private import semmle.python.objects.TObject
|
||||
private import semmle.python.web.HttpConstants
|
||||
/* Make ObjectInternal visible to save extra imports in user code */
|
||||
import semmle.python.objects.ObjectInternal
|
||||
|
||||
@@ -52,30 +51,6 @@ class RangeIterationVariableFact extends PointsToExtension {
|
||||
}
|
||||
}
|
||||
|
||||
/* bottle module route constants */
|
||||
deprecated class BottleRoutePointToExtension extends PointsToExtension {
|
||||
string name;
|
||||
|
||||
BottleRoutePointToExtension() {
|
||||
exists(DefinitionNode defn |
|
||||
defn.getScope().(Module).getName() = "bottle" and
|
||||
this = defn.getValue() and
|
||||
name = defn.(NameNode).getId()
|
||||
|
|
||||
name = "route" or
|
||||
name = httpVerbLower()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate pointsTo(Context context, ObjectInternal value, ControlFlowNode origin) {
|
||||
context.isImport() and
|
||||
exists(CfgOrigin orig |
|
||||
Module::named("bottle").attr("Bottle").(ClassObjectInternal).attribute(name, value, orig) and
|
||||
origin = orig.asCfgNodeOrHere(this)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/* Python 3.6+ regex module constants */
|
||||
string short_flag(string flag) {
|
||||
flag in ["ASCII", "IGNORECASE", "LOCALE", "UNICODE", "MULTILINE", "TEMPLATE"] and
|
||||
|
||||
Reference in New Issue
Block a user