delete outdated deprecations

ruby/ql/lib/codeql/ruby/ApiGraphs.qll

@@ -801,12 +801,6 @@ module API {
     bindingset[this]
     EntryPoint() { any() }
 
-    /** DEPRECATED. This predicate has been renamed to `getASource`. */
-    deprecated DataFlow::LocalSourceNode getAUse() { none() }
-
-    /** DEPRECATED. This predicate has been renamed to `getASink`. */
-    deprecated DataFlow::Node getARhs() { none() }
-
     /** Gets a data-flow node corresponding to a use-node for this entry point. */
     DataFlow::LocalSourceNode getASource() { none() }
 

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -701,17 +701,6 @@ module Http {
        * Depending on the framework, a request may have multiple nodes which contribute to the URL.
        */
       deprecated DataFlow::Node getURL() { result = Request::Range.super.getAUrlPart() }
-
-      /**
-       * Holds if this request is made using a mode that disables SSL/TLS
-       * certificate validation, where `disablingNode` represents the point at
-       * which the validation was disabled.
-       */
-      deprecated predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
-        Request::Range.super.disablesCertificateValidation(disablingNode, _)
-        or
-        Request::Range.super.disablesCertificateValidation(disablingNode)
-      }
     }
 
     /** Provides a class for modeling new HTTP requests. */
@@ -725,15 +714,6 @@ module Http {
       abstract class Range extends SC::Request::Range {
         /** Gets a node which returns the body of the response */
         abstract DataFlow::Node getResponseBody();
-
-        /**
-         * DEPRECATED: override `disablesCertificateValidation/2` instead.
-         *
-         * Holds if this request is made using a mode that disables SSL/TLS
-         * certificate validation, where `disablingNode` represents the point at
-         * which the validation was disabled.
-         */
-        deprecated predicate disablesCertificateValidation(DataFlow::Node disablingNode) { none() }
       }
     }
 
@@ -748,9 +728,6 @@ module Http {
   }
 }
 
-/** DEPRECATED: Alias for Http */
-deprecated module HTTP = Http;
-
 /**
  * A data flow node that executes an operating system command,
  * for instance by spawning a new process.
@@ -967,9 +944,6 @@ class CsrfProtectionSetting extends DataFlow::Node instanceof CsrfProtectionSett
   boolean getVerificationSetting() { result = super.getVerificationSetting() }
 }
 
-/** DEPRECATED: Alias for CsrfProtectionSetting */
-deprecated class CSRFProtectionSetting = CsrfProtectionSetting;
-
 /** Provides a class for modeling new CSRF protection setting APIs. */
 module CsrfProtectionSetting {
   /**
@@ -987,9 +961,6 @@ module CsrfProtectionSetting {
   }
 }
 
-/** DEPRECATED: Alias for CsrfProtectionSetting */
-deprecated module CSRFProtectionSetting = CsrfProtectionSetting;
-
 /** Provides classes for modeling path-related APIs. */
 module Path {
   /**

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -23,16 +23,6 @@ module ActionController {
   import codeql.ruby.frameworks.actioncontroller.Filters
 }
 
-/**
- * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::ParamsCall` instead.
- */
-deprecated class ParamsCall = Rails::ParamsCall;
-
-/**
- * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::CookiesCall` instead.
- */
-deprecated class CookiesCall = Rails::CookiesCall;
-
 /**
  * A class that extends `ActionController::Base`.
  * For example,
@@ -87,22 +77,6 @@ private API::Node actionControllerInstance() {
   result = any(ActionControllerClass cls).getSelf().track()
 }
 
-/**
- * DEPRECATED. Use `ActionControllerClass` instead.
- *
- * A `ClassDeclaration` corresponding to an `ActionControllerClass`.
- */
-deprecated class ActionControllerControllerClass extends ClassDeclaration {
-  ActionControllerControllerClass() { this = any(ActionControllerClass cls).getADeclaration() }
-
-  /**
-   * Gets a `ActionControllerActionMethod` defined in this class.
-   */
-  ActionControllerActionMethod getAnAction() {
-    result = this.getAMethod().(Method) and result.isPrivate()
-  }
-}
-
 /**
  * A public instance method defined within an `ActionController` controller class.
  * This may be the target of a route handler, if such a route is defined.

ruby/ql/lib/codeql/ruby/frameworks/ActionView.qll

@@ -11,26 +11,6 @@ private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.frameworks.internal.Rails
 private import codeql.ruby.frameworks.Rails
 
-/**
- * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::HtmlSafeCall` instead.
- */
-deprecated class HtmlSafeCall = Rails::HtmlSafeCall;
-
-/**
- * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::HtmlEscapeCall` instead.
- */
-deprecated class HtmlEscapeCall = Rails::HtmlEscapeCall;
-
-/**
- * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::RenderCall` instead.
- */
-deprecated class RenderCall = Rails::RenderCall;
-
-/**
- * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::RenderToCall` instead.
- */
-deprecated class RenderToCall = Rails::RenderToCall;
-
 /**
  * Holds if this AST node is in a context where `ActionView` methods are available.
  */

ruby/ql/lib/codeql/ruby/frameworks/Rails.qll

@@ -49,15 +49,6 @@ private module RenderCallUtils {
  * Provides classes for working with Rails.
  */
 module Rails {
-  /**
-   * DEPRECATED: Any call to `html_safe` is considered an XSS sink.
-   * A method call on a string to mark it as HTML safe for Rails. Strings marked
-   * as such will not be automatically escaped when inserted into HTML.
-   */
-  deprecated class HtmlSafeCall extends MethodCall {
-    HtmlSafeCall() { this.getMethodName() = "html_safe" }
-  }
-
   /** A call to a Rails method to escape HTML. */
   class HtmlEscapeCall extends MethodCall instanceof HtmlEscapeCallImpl { }
 

ruby/ql/lib/codeql/ruby/security/BadTagFilterQuery.qll

@@ -1,8 +0,0 @@
-/**
- * Provides predicates for reasoning about bad tag filter vulnerabilities.
- */
-
-private import codeql.ruby.regexp.RegExpTreeView::RegexTreeView as TreeView
-// BadTagFilterQuery should be used directly from the shared pack, and not from this file.
-deprecated import codeql.regex.nfa.BadTagFilterQuery::Make<TreeView> as Dep
-import Dep

ruby/ql/lib/codeql/ruby/security/OpenSSL.qll

@@ -139,9 +139,6 @@ module Ciphers {
       ]
   }
 
-  /** DEPRECATED: Alias for isOpenSslCipher */
-  deprecated predicate isOpenSSLCipher = isOpenSslCipher/1;
-
   /**
    * Gets the canonical cipher name in cases where this isn't simply an
    * upcased version of the provided name. This may be because a default block
@@ -269,9 +266,6 @@ module Ciphers {
     name.toUpperCase().regexpMatch(getInsecureAlgorithmRegex())
   }
 
-  /** DEPRECATED: Alias for isWeakOpenSslCipher */
-  deprecated predicate isWeakOpenSSLCipher = isWeakOpenSslCipher/1;
-
   /**
    * Holds if `name` is the name of an OpenSSL cipher that is known to be strong.
    */
@@ -281,9 +275,6 @@ module Ciphers {
     // exclude algorithms that include a weak component
     not name.toUpperCase().regexpMatch(getInsecureAlgorithmRegex())
   }
-
-  /** DEPRECATED: Alias for isStrongOpenSslCipher */
-  deprecated predicate isStrongOpenSSLCipher = isStrongOpenSslCipher/1;
 }
 
 private import Ciphers
@@ -334,9 +325,6 @@ class OpenSslCipher extends MkOpenSslCipher {
   Cryptography::EncryptionAlgorithm getAlgorithm() { result.matchesName(this.getCanonicalName()) }
 }
 
-/** DEPRECATED: Alias for OpenSslCipher */
-deprecated class OpenSSLCipher = OpenSslCipher;
-
 /** `OpenSSL::Cipher` or `OpenSSL::Cipher::Cipher` */
 private API::Node cipherApi() {
   result = API::getTopLevelMember("OpenSSL").getMember("Cipher") or

ruby/ql/lib/codeql/ruby/security/OverlyLargeRangeQuery.qll

@@ -1,8 +0,0 @@
-/**
- * Classes and predicates for working with suspicious character ranges.
- */
-
-private import codeql.ruby.regexp.RegExpTreeView::RegexTreeView as TreeView
-// OverlyLargeRangeQuery should be used directly from the shared pack, and not from this file.
-deprecated import codeql.regex.OverlyLargeRangeQuery::Make<TreeView> as Dep
-import Dep

ruby/ql/lib/codeql/ruby/security/regexp/ExponentialBackTracking.qll

@@ -1,68 +0,0 @@
-/**
- * This library implements the analysis described in the following two papers:
- *
- *   James Kirrage, Asiri Rathnayake, Hayo Thielecke: Static Analysis for
- *     Regular Expression Denial-of-Service Attacks. NSS 2013.
- *     (https://arxiv.org/abs/1301.0849)
- *   Asiri Rathnayake, Hayo Thielecke: Static Analysis for Regular Expression
- *     Exponential Runtime via Substructural Logics. 2014.
- *     (https://www.cs.bham.ac.uk/~hxt/research/redos_full.pdf)
- *
- * The basic idea is to search for overlapping cycles in the NFA, that is,
- * states `q` such that there are two distinct paths from `q` to itself
- * that consume the same word `w`.
- *
- * For any such state `q`, an attack string can be constructed as follows:
- * concatenate a prefix `v` that takes the NFA to `q` with `n` copies of
- * the word `w` that leads back to `q` along two different paths, followed
- * by a suffix `x` that is _not_ accepted in state `q`. A backtracking
- * implementation will need to explore at least 2^n different ways of going
- * from `q` back to itself while trying to match the `n` copies of `w`
- * before finally giving up.
- *
- * Now in order to identify overlapping cycles, all we have to do is find
- * pumpable forks, that is, states `q` that can transition to two different
- * states `r1` and `r2` on the same input symbol `c`, such that there are
- * paths from both `r1` and `r2` to `q` that consume the same word. The latter
- * condition is equivalent to saying that `(q, q)` is reachable from `(r1, r2)`
- * in the product NFA.
- *
- * This is what the library does. It makes a simple attempt to construct a
- * prefix `v` leading into `q`, but only to improve the alert message.
- * And the library tries to prove the existence of a suffix that ensures
- * rejection. This check might fail, which can cause false positives.
- *
- * Finally, sometimes it depends on the translation whether the NFA generated
- * for a regular expression has a pumpable fork or not. We implement one
- * particular translation, which may result in false positives or negatives
- * relative to some particular JavaScript engine.
- *
- * More precisely, the library constructs an NFA from a regular expression `r`
- * as follows:
- *
- *   * Every sub-term `t` gives rise to an NFA state `Match(t,i)`, representing
- *     the state of the automaton before attempting to match the `i`th character in `t`.
- *   * There is one accepting state `Accept(r)`.
- *   * There is a special `AcceptAnySuffix(r)` state, which accepts any suffix string
- *     by using an epsilon transition to `Accept(r)` and an any transition to itself.
- *   * Transitions between states may be labelled with epsilon, or an abstract
- *     input symbol.
- *   * Each abstract input symbol represents a set of concrete input characters:
- *     either a single character, a set of characters represented by a
- *     character class, or the set of all characters.
- *   * The product automaton is constructed lazily, starting with pair states
- *     `(q, q)` where `q` is a fork, and proceeding along an over-approximate
- *     step relation.
- *   * The over-approximate step relation allows transitions along pairs of
- *     abstract input symbols where the symbols have overlap in the characters they accept.
- *   * Once a trace of pairs of abstract input symbols that leads from a fork
- *     back to itself has been identified, we attempt to construct a concrete
- *     string corresponding to it, which may fail.
- *   * Lastly we ensure that any state reached by repeating `n` copies of `w` has
- *     a suffix `x` (possible empty) that is most likely __not__ accepted.
- */
-
-private import codeql.ruby.regexp.RegExpTreeView::RegexTreeView as TreeView
-// ExponentialBackTracking should be used directly from the shared pack, and not from this file.
-deprecated private import codeql.regex.nfa.ExponentialBackTracking::Make<TreeView> as Dep
-import Dep

ruby/ql/lib/codeql/ruby/security/regexp/NfaUtils.qll

@@ -1,13 +0,0 @@
-/**
- * Provides classes and predicates for constructing an NFA from
- * a regular expression, and various utilities for reasoning about
- * the resulting NFA.
- *
- * These utilities are used both by the ReDoS queries and by
- * other queries that benefit from reasoning about NFAs.
- */
-
-private import codeql.ruby.regexp.RegExpTreeView::RegexTreeView as TreeView
-// NfaUtils should be used directly from the shared pack, and not from this file.
-deprecated private import codeql.regex.nfa.NfaUtils::Make<TreeView> as Dep
-import Dep

ruby/ql/lib/codeql/ruby/security/regexp/RegexpMatching.qll

@@ -1,9 +0,0 @@
-/**
- * Provides predicates for reasoning about which strings are matched by a regular expression,
- * and for testing which capture groups are filled when a particular regexp matches a string.
- */
-
-private import codeql.ruby.regexp.RegExpTreeView::RegexTreeView as TreeView
-// RegexpMatching should be used directly from the shared pack, and not from this file.
-deprecated import codeql.regex.nfa.RegexpMatching::Make<TreeView> as Dep
-import Dep

ruby/ql/lib/codeql/ruby/security/regexp/SuperlinearBackTracking.qll

@@ -1,41 +0,0 @@
-/**
- * This module implements the analysis described in the paper:
- *   Valentin Wustholz, Oswaldo Olivo, Marijn J. H. Heule, and Isil Dillig:
- *     Static Detection of DoS Vulnerabilities in
- *     Programs that use Regular Expressions
- *     (Extended Version).
- *   (https://arxiv.org/pdf/1701.04045.pdf)
- *
- * Theorem 3 from the paper describes the basic idea.
- *
- * The following explains the idea using variables and predicate names that are used in the implementation:
- * We consider a pair of repetitions, which we will call `pivot` and `succ`.
- *
- * We create a product automaton of 3-tuples of states (see `StateTuple`).
- * There exists a transition `(a,b,c) -> (d,e,f)` in the product automaton
- * iff there exists three transitions in the NFA `a->d, b->e, c->f` where those three
- * transitions all match a shared character `char`. (see `getAThreewayIntersect`)
- *
- * We start a search in the product automaton at `(pivot, pivot, succ)`,
- * and search for a series of transitions (a `Trace`), such that we end
- * at `(pivot, succ, succ)` (see `isReachableFromStartTuple`).
- *
- * For example, consider the regular expression `/^\d*5\w*$/`.
- * The search will start at the tuple `(\d*, \d*, \w*)` and search
- * for a path to `(\d*, \w*, \w*)`.
- * This path exists, and consists of a single transition in the product automaton,
- * where the three corresponding NFA edges all match the character `"5"`.
- *
- * The start-state in the NFA has an any-transition to itself, this allows us to
- * flag regular expressions such as `/a*$/` - which does not have a start anchor -
- * and can thus start matching anywhere.
- *
- * The implementation is not perfect.
- * It has the same suffix detection issue as the `js/redos` query, which can cause false positives.
- * It also doesn't find all transitions in the product automaton, which can cause false negatives.
- */
-
-private import codeql.ruby.regexp.RegExpTreeView::RegexTreeView as TreeView
-// SuperlinearBackTracking should be used directly from the shared pack, and not from this file.
-deprecated private import codeql.regex.nfa.SuperlinearBackTracking::Make<TreeView> as Dep
-import Dep

ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll

@@ -391,8 +391,6 @@ deprecated module StepSummary {
     smallstepCall(nodeFrom, nodeTo, summary)
   }
 
-  deprecated predicate localSourceStoreStep = flowsToStoreStep/3;
-
   /** Gets the step summary for a level step. */
   StepSummary levelStep() { result = LevelStep() }