Merge pull request #17349 from erik-krogh/del-deps-sep-2024

All: delete outdated deprecations

ruby/ql/lib/change-notes/2024-09-03-outdated-deprecations.md

@@ -0,0 +1,8 @@
+---
+category: breaking
+---
+* Deleted the deprecated `getURL` predicate the `Http::Request` class, use `getAUrlPart` instead.
+* Deleted the deprecated `getNode` predicate from the `CfgNode` class, use `getAstNode` instead. 
+* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
+* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
+* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -693,14 +693,6 @@ module Http {
     class Request extends SC::Request instanceof Request::Range {
       /** Gets a node which returns the body of the response */
       DataFlow::Node getResponseBody() { result = super.getResponseBody() }
-
-      /**
-       * DEPRECATED: Use `getAUrlPart` instead.
-       *
-       * Gets a node that contributes to the URL of the request.
-       * Depending on the framework, a request may have multiple nodes which contribute to the URL.
-       */
-      deprecated DataFlow::Node getURL() { result = Request::Range.super.getAUrlPart() }
     }
 
     /** Provides a class for modeling new HTTP requests. */

ruby/ql/lib/codeql/ruby/controlflow/ControlFlowGraph.qll

@@ -40,9 +40,6 @@ class CfgNode extends CfgImpl::Node {
   /** Gets the file of this control flow node. */
   final File getFile() { result = this.getLocation().getFile() }
 
-  /** DEPRECATED: Use `getAstNode` instead. */
-  deprecated AstNode getNode() { result = this.getAstNode() }
-
   /** Gets a successor node of a given type, if any. */
   final CfgNode getASuccessor(SuccessorType t) { result = super.getASuccessor(t) }
 

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll

@@ -1323,11 +1323,6 @@ class CallableNode extends StmtSequenceNode {
    * Gets a data flow node whose value is about to be returned by this callable.
    */
   Node getAReturnNode() { result = getAReturnNode(callable) }
-
-  /**
-   * DEPRECATED. Use `getAReturnNode` instead.
-   */
-  deprecated Node getAReturningNode() { result = this.getAReturnNode() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/frameworks/Rack.qll

@@ -10,7 +10,4 @@ module Rack {
   import rack.internal.Request
   import rack.internal.Response::Public as Response
   import rack.internal.Utils
-
-  /** DEPRECATED: Alias for App::AppCandidate */
-  deprecated class AppCandidate = App::AppCandidate;
 }

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll

@@ -39,31 +39,6 @@ private RP::PotentialResponseNode trackRackResponse(PotentialRequestHandler call
  * Provides modeling for Rack applications.
  */
 module App {
-  /**
-   * DEPRECATED: Use `RequestHandler` instead.
-   * A class that may be a rack application.
-   * This is a class that has a `call` method that takes a single argument
-   * (traditionally called `env`) and returns a rack-compatible response.
-   */
-  deprecated class AppCandidate extends DataFlow::ClassNode {
-    private RequestHandler call;
-    private RP::PotentialResponseNode resp;
-
-    AppCandidate() {
-      call = this.getInstanceMethod("call") and
-      call.getNumberOfParameters() = 1 and
-      resp = trackRackResponse(call)
-    }
-
-    /**
-     * Gets the environment of the request, which is the lone parameter to the `call` method.
-     */
-    DataFlow::ParameterNode getEnv() { result = call.getParameter(0) }
-
-    /** Gets the response returned from a request to this application. */
-    RP::PotentialResponseNode getResponse() { result = resp }
-  }
-
   /**
    * A callable node that looks like it implements the rack specification.
    */

ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll

@@ -10,28 +10,6 @@ private import codeql.ruby.AST
 private import codeql.ruby.DataFlow
 import InsecureDownloadCustomizations::InsecureDownload
 
-/**
- * A taint tracking configuration for download of sensitive file through insecure connection.
- *
- * DEPRECATED: Use `InsecureDownloadFlow`.
- */
-deprecated class Configuration extends DataFlow::Configuration {
-  Configuration() { this = "InsecureDownload" }
-
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState label) {
-    source.(Source).getALabel() = label
-  }
-
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState label) {
-    sink.(Sink).getALabel() = label
-  }
-
-  override predicate isBarrier(DataFlow::Node node) {
-    super.isBarrier(node) or
-    node instanceof Sanitizer
-  }
-}
-
 private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
   class FlowState = Label::State;
 

ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll

@@ -17,29 +17,6 @@ import codeql.ruby.TaintTracking
  */
 deprecated module StoredXss {
   import XSS::StoredXss
-
-  /**
-   * DEPRECATED.
-   *
-   * A taint-tracking configuration for reasoning about Stored XSS.
-   */
-  deprecated class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "StoredXss" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node) or
-      node instanceof Sanitizer
-    }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-      isAdditionalXssTaintStep(node1, node2)
-    }
-  }
-
   import TaintTracking::Global<StoredXssConfig>
 }
 

ruby/ql/lib/codeql/ruby/security/internal/CleartextSources.qll

@@ -289,17 +289,4 @@ module CleartextSources {
 
     override string describe() { result = "a call to " + name }
   }
-
-  /** Holds if `nodeFrom` taints `nodeTo`. */
-  deprecated predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    exists(string name, ElementReference ref, LocalVariable hashVar |
-      // from `hsh[password] = "changeme"` to a `hsh[password]` read
-      nodeFrom.(HashKeyWriteSensitiveSource).getName() = name and
-      nodeTo.asExpr().getExpr() = ref and
-      ref.getArgument(0).getConstantValue().getStringlikeValue() = name and
-      nodeFrom.(HashKeyWriteSensitiveSource).getVariable() = hashVar and
-      ref.getReceiver().(VariableReadAccess).getVariable() = hashVar and
-      nodeFrom.asExpr().getASuccessor*() = nodeTo.asExpr()
-    )
-  }
 }