Ruby: Remove deprecated configuration classes referencing deleted api.

2026-04-23 07:45:17 +02:00 · 2024-12-03 19:38:47 +01:00
parent 8a5fc97b06
commit 8c99ad4fcb
30 changed files with 0 additions and 683 deletions
--- a/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll
@@ -9,22 +9,6 @@ private import codeql.ruby.TaintTracking
 private import codeql.ruby.ApiGraphs
 import UnicodeBypassValidationCustomizations::UnicodeBypassValidation

-/**
- * A state signifying that a logical validation has not been performed.
- * DEPRECATED: Use `PreValidationState()`
- */
-deprecated class PreValidation extends DataFlow::FlowState {
-  PreValidation() { this = "PreValidation" }
-}
-
-/**
- * A state signifying that a logical validation has been performed.
- * DEPRECATED: Use `PostValidationState()`
- */
-deprecated class PostValidation extends DataFlow::FlowState {
-  PostValidation() { this = "PostValidation" }
-}
-
 /**
 * A state signifying if a logical validation has been performed or not.
 */
@@ -34,40 +18,6 @@ private newtype ValidationState =
  // A state signifying that a logical validation has been performed.
  PostValidationState()

-/**
- * A taint-tracking configuration for detecting "Unicode transformation mishandling" vulnerabilities.
- *
- * This configuration uses two flow states, `PreValidation` and `PostValidation`,
- * to track the requirement that a logical validation has been performed before the Unicode Transformation.
- * DEPRECATED: Use `UnicodeBypassValidationFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnicodeBypassValidation" }
-
-  private ValidationState convertState(DataFlow::FlowState state) {
-    state instanceof PreValidation and result = PreValidationState()
-    or
-    state instanceof PostValidation and result = PostValidationState()
-  }
-
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-    UnicodeBypassValidationConfig::isSource(source, this.convertState(state))
-  }
-
-  override predicate isAdditionalTaintStep(
-    DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
-    DataFlow::FlowState stateTo
-  ) {
-    UnicodeBypassValidationConfig::isAdditionalFlowStep(nodeFrom, this.convertState(stateFrom),
-      nodeTo, this.convertState(stateTo))
-  }
-
-  /* A Unicode Tranformation (Unicode tranformation) is considered a sink when the algorithm used is either NFC or NFKC.  */
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-    UnicodeBypassValidationConfig::isSink(sink, this.convertState(state))
-  }
-}
-
 /**
 * A taint-tracking configuration for detecting "Unicode transformation mishandling" vulnerabilities.
 *
--- a/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll
@@ -9,35 +9,6 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking
 private import codeql.ruby.ApiGraphs

-/**
- * A taint-tracking configuration for reasoning about zip slip
- * vulnerabilities.
- * DEPRECATED: Use `ZipSlipFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "ZipSlip" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof ZipSlip::Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof ZipSlip::Sink }
-
-  /**
-   * This should actually be
-   * `and cn = API::getTopLevelMember("Gem").getMember("Package").getMember("TarReader").getMember("Entry").getAMethodCall("full_name")` and similar for other classes
-   * but I couldn't make it work so there's only check for the method name called on the entry. It is `full_name` for `Gem::Package::TarReader::Entry` and `Zlib`
-   * and `name` for `Zip::File`
-   */
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    exists(DataFlow::CallNode cn |
-      cn.getReceiver() = nodeFrom and
-      cn.getMethodName() in ["full_name", "name"] and
-      cn = nodeTo
-    )
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof ZipSlip::Sanitizer }
-}
-
 private module ZipSlipConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof ZipSlip::Source }

--- a/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll
@@ -12,28 +12,6 @@ private import codeql.ruby.TaintTracking
 import CleartextLoggingCustomizations::CleartextLogging
 private import CleartextLoggingCustomizations::CleartextLogging as CL

-/**
- * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
- * DEPRECATED: Use `CleartextLoggingFlow` instead
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "CleartextLogging" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof CL::Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CL::Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node)
-    or
-    node instanceof CL::Sanitizer
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    CL::isAdditionalTaintStep(nodeFrom, nodeTo)
-  }
-}
-
 private module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof CL::Source }

--- a/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll
@@ -11,28 +11,6 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking
 private import CleartextStorageCustomizations::CleartextStorage as CS

-/**
- * A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
- * DEPRECATED: Use `CleartextStorageFlow` instead
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "CleartextStorage" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof CS::Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CS::Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node)
-    or
-    node instanceof CS::Sanitizer
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    CS::isAdditionalTaintStep(nodeFrom, nodeTo)
-  }
-}
-
 private module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof CS::Source }

--- a/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
@@ -14,18 +14,6 @@ private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 module CodeInjection {
  /** Flow states used to distinguish whether an attacker controls the entire string. */
  module FlowState {
-    /**
-     * Flow state used for normal tainted data, where an attacker might only control a substring.
-     * DEPRECATED: Use `SubString()`
-     */
-    deprecated DataFlow::FlowState substring() { result = "substring" }
-
-    /**
-     * Flow state used for data that is entirely controlled by the attacker.
-     * DEPRECATED: Use `Full()`
-     */
-    deprecated DataFlow::FlowState full() { result = "full" }
-
    private newtype TState =
      TFull() or
      TSubString()
@@ -62,14 +50,6 @@ module CodeInjection {
   * A data flow source for "Code injection" vulnerabilities.
   */
  abstract class Source extends DataFlow::Node {
-    /**
-     * Gets a flow state for which this is a source.
-     * DEPRECATED: Use `getAState()`
-     */
-    deprecated DataFlow::FlowState getAFlowState() {
-      result = [FlowState::substring(), FlowState::full()]
-    }
-
    /** Gets a flow state for which this is a source. */
    FlowState::State getAState() {
      result instanceof FlowState::SubString or result instanceof FlowState::Full
@@ -80,14 +60,6 @@ module CodeInjection {
   * A data flow sink for "Code injection" vulnerabilities.
   */
  abstract class Sink extends DataFlow::Node {
-    /**
-     * Holds if this sink is safe for an attacker that only controls a substring.
-     * DEPRECATED: Use `getAState()`
-     */
-    deprecated DataFlow::FlowState getAFlowState() {
-      result = [FlowState::substring(), FlowState::full()]
-    }
-
    /** Holds if this sink is safe for an attacker that only controls a substring. */
    FlowState::State getAState() { any() }
  }
@@ -96,13 +68,6 @@ module CodeInjection {
   * A sanitizer for "Code injection" vulnerabilities.
   */
  abstract class Sanitizer extends DataFlow::Node {
-    /**
-     * Gets a flow state for which this is a sanitizer.
-     * Sanitizes all states if the result is empty.
-     * DEPRECATED: Use `getAState()`
-     */
-    deprecated DataFlow::FlowState getAFlowState() { none() }
-
    /**
     * Gets a flow state for which this is a sanitizer.
     * Sanitizes all states if the result is empty.
@@ -123,12 +88,6 @@ module CodeInjection {

    CodeExecutionAsSink() { this = c.getCode() }

-    deprecated override DataFlow::FlowState getAFlowState() {
-      if c.runsArbitraryCode()
-      then result = [FlowState::substring(), FlowState::full()] // If it runs arbitrary code then it's always vulnerable.
-      else result = FlowState::full() // If it "just" loads something, then it's only vulnerable if the attacker controls the entire string.
-    }
-
    override FlowState::State getAState() {
      if c.runsArbitraryCode()
      then any() // If it runs arbitrary code then it's always vulnerable.
@@ -153,8 +112,6 @@ module CodeInjection {
      )
    }

-    deprecated override DataFlow::FlowState getAFlowState() { result = FlowState::full() }
-
    override FlowState::State getAState() { result instanceof FlowState::Full }
  }

--- a/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll
@@ -11,34 +11,6 @@ import codeql.ruby.TaintTracking
 import CodeInjectionCustomizations::CodeInjection
 import codeql.ruby.dataflow.BarrierGuards

-/**
- * A taint-tracking configuration for detecting "Code injection" vulnerabilities.
- * DEPRECATED: Use `CodeInjectionFlow` instead
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "CodeInjection" }
-
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-    state = source.(Source).getAFlowState()
-  }
-
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-    state = sink.(Sink).getAFlowState()
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof Sanitizer and not exists(node.(Sanitizer).getAFlowState())
-    or
-    node instanceof StringConstCompareBarrier
-    or
-    node instanceof StringConstArrayInclusionCallBarrier
-  }
-
-  override predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) {
-    node.(Sanitizer).getAFlowState() = state
-  }
-}
-
 private module Config implements DataFlow::StateConfigSig {
  class FlowState = FlowState::State;

--- a/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll
@@ -13,24 +13,6 @@ import CommandInjectionCustomizations::CommandInjection
 import codeql.ruby.DataFlow
 import codeql.ruby.dataflow.BarrierGuards

-/**
- * A taint-tracking configuration for reasoning about command-injection vulnerabilities.
- * DEPRECATED: Use `CommandInjectionFlow` instead
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "CommandInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof Sanitizer or
-    node instanceof StringConstCompareBarrier or
-    node instanceof StringConstArrayInclusionCallBarrier
-  }
-}
-
 private module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll
@@ -11,23 +11,6 @@ private import codeql.ruby.TaintTracking
 private import codeql.ruby.security.SensitiveActions
 import ConditionalBypassCustomizations::ConditionalBypass

-/**
- * A taint tracking configuration for bypass of sensitive action guards.
- * DEPRECATED: Use `ConditionalBypassFlow` instead
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "ConditionalBypass" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof Sanitizer
-  }
-}
-
 private module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeCustomizations.qll
@@ -19,18 +19,6 @@ module HardcodedDataInterpretedAsCode {
   * Flow states used to distinguish value-preserving flow from taint flow.
   */
  module FlowState {
-    /**
-     * Flow state used to track value-preserving flow.
-     * DEPRECATED: Use `Data()`
-     */
-    deprecated DataFlow::FlowState data() { result = "data" }
-
-    /**
-     * Flow state used to tainted data (non-value preserving flow).
-     * DEPRECATED: Use `Taint()`
-     */
-    deprecated DataFlow::FlowState taint() { result = "taint" }
-
    /**
     * Flow states used to distinguish value-preserving flow from taint flow.
     */
@@ -45,12 +33,6 @@ module HardcodedDataInterpretedAsCode {
   * A data flow source for hard-coded data.
   */
  abstract class Source extends DataFlow::Node {
-    /**
-     * Gets a flow label for which this is a source.
-     * DEPRECATED: Use `getALabel()`
-     */
-    deprecated DataFlow::FlowState getLabel() { result = FlowState::data() }
-
    /**
     * Gets a flow label for which this is a source.
     */
@@ -64,17 +46,6 @@ module HardcodedDataInterpretedAsCode {
    /** Gets a description of what kind of sink this is. */
    abstract string getKind();

-    /**
-     * Gets a flow label for which this is a sink.
-     * DEPRECATED: Use `getALabel()`
-     */
-    deprecated DataFlow::FlowState getLabel() {
-      // We want to ignore value-flow and only consider taint-flow, since the
-      // source is just a hex string, and evaluating that directly will just
-      // cause a syntax error.
-      result = FlowState::taint()
-    }
-
    /**
     * Gets a flow label for which this is a sink.
     */
--- a/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll
@@ -12,39 +12,6 @@ private import codeql.ruby.TaintTracking
 private import codeql.ruby.dataflow.internal.TaintTrackingPrivate
 import HardcodedDataInterpretedAsCodeCustomizations::HardcodedDataInterpretedAsCode

-/**
- * A taint-tracking configuration for reasoning about hard-coded data
- * being interpreted as code.
- *
- * DEPRECATED: Use `HardcodedDataInterpretedAsCodeFlow` instead
- */
-deprecated class Configuration extends DataFlow::Configuration {
-  Configuration() { this = "HardcodedDataInterpretedAsCode" }
-
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState label) {
-    source.(Source).getLabel() = label
-  }
-
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState label) {
-    sink.(Sink).getLabel() = label
-  }
-
-  override predicate isBarrier(DataFlow::Node node) {
-    super.isBarrier(node) or
-    node instanceof Sanitizer
-  }
-
-  override predicate isAdditionalFlowStep(
-    DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
-    DataFlow::FlowState stateTo
-  ) {
-    defaultAdditionalTaintStep(nodeFrom, nodeTo, _) and
-    // This is a taint step, so the flow state becomes `taint`.
-    stateFrom = [FlowState::data(), FlowState::taint()] and
-    stateTo = FlowState::taint()
-  }
-}
-
 private module Config implements DataFlow::StateConfigSig {
  class FlowState = FlowState::State;

--- a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll
@@ -23,19 +23,3 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig {
 * Taint tracking for writing user-controlled data to files.
 */
 module HttpToFileAccessFlow = TaintTracking::Global<HttpToFileAccessConfig>;
-
-/**
- * DEPRECATED. Use the `HttpToFileAccessFlow` module instead.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "HttpToFileAccess" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof Sanitizer
-  }
-}
--- a/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll
@@ -7,20 +7,6 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking
 private import ImproperLdapAuthCustomizations::ImproperLdapAuth

-/**
- * A taint-tracking configuration for detecting improper LDAP authentication vulnerabilities.
- * DEPRECATED: Use `ImproperLdapAuthFlow` instead
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "ImproperLdapAuth" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module ImproperLdapAuthConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadCustomizations.qll
@@ -19,12 +19,6 @@ module InsecureDownload {
   * A data flow source for download of sensitive file through insecure connection.
   */
  abstract class Source extends DataFlow::Node {
-    /**
-     * Gets a flow-label for this source.
-     * DEPRECATED: Use `getAFlowLabel()`
-     */
-    abstract deprecated DataFlow::FlowState getALabel();
-
    /**
     * Gets a flow-label for this source.
     */
@@ -40,12 +34,6 @@ module InsecureDownload {
     */
    abstract DataFlow::Node getDownloadCall();

-    /**
-     * Gets a flow-label where this sink is vulnerable.
-     * DEPRECATED: Use `getAFlowLabel()`
-     */
-    abstract deprecated DataFlow::FlowState getALabel();
-
    /**
     * Gets a flow-label where this sink is vulnerable.
     */
@@ -61,30 +49,6 @@ module InsecureDownload {
   * Flow-labels for reasoning about download of sensitive file through insecure connection.
   */
  module Label {
-    /**
-     * A flow-label for a URL that is downloaded over an insecure connection.
-     * DEPRECATED: Use `InsecureState()`
-     */
-    deprecated class Insecure extends DataFlow::FlowState {
-      Insecure() { this = "insecure" }
-    }
-
-    /**
-     * A flow-label for a URL that is sensitive.
-     * DEPRECATED: Use `SensitiveState()`
-     */
-    deprecated class Sensitive extends DataFlow::FlowState {
-      Sensitive() { this = "sensitive" }
-    }
-
-    /**
-     * A flow-label for file URLs that are both sensitive and downloaded over an insecure connection.
-     * DEPRECATED: Use `SensitiveInsecureState()`
-     */
-    deprecated class SensitiveInsecure extends DataFlow::FlowState {
-      SensitiveInsecure() { this = "sensitiveInsecure" }
-    }
-
    /**
     * Flow-labels for reasoning about download of sensitive file through insecure connection.
     */
@@ -114,13 +78,6 @@ module InsecureDownload {
   * seen as a source for downloads of sensitive files through an insecure connection.
   */
  class InsecureFileUrl extends Source, InsecureUrl {
-    deprecated override DataFlow::FlowState getALabel() {
-      result instanceof Label::Insecure
-      or
-      hasUnsafeExtension(str) and
-      result instanceof Label::SensitiveInsecure
-    }
-
    override Label::State getAFlowLabel() {
      result = Label::InsecureState()
      or
@@ -136,8 +93,6 @@ module InsecureDownload {
  class SensitiveFileName extends Source {
    SensitiveFileName() { hasUnsafeExtension(this.asExpr().getConstantValue().getString()) }

-    deprecated override DataFlow::FlowState getALabel() { result instanceof Label::Sensitive }
-
    override Label::State getAFlowLabel() { result = Label::SensitiveState() }
  }

@@ -180,12 +135,6 @@ module InsecureDownload {

    override DataFlow::Node getDownloadCall() { result = req }

-    deprecated override DataFlow::FlowState getALabel() {
-      result instanceof Label::SensitiveInsecure
-      or
-      any(req.getAUrlPart()) instanceof InsecureUrl and result instanceof Label::Sensitive
-    }
-
    override Label::State getAFlowLabel() {
      result = Label::SensitiveInsecureState()
      or
@@ -232,8 +181,6 @@ module InsecureDownload {
      )
    }

-    deprecated override DataFlow::FlowState getALabel() { result instanceof Label::Insecure }
-
    override Label::State getAFlowLabel() { result = Label::InsecureState() }

    override DataFlow::Node getDownloadCall() { result = request }
--- a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
@@ -25,20 +25,6 @@ abstract class Sink extends DataFlow::Node { }
 */
 abstract class Sanitizer extends DataFlow::Node { }

-/**
- * A taint-tracking configuration for untrusted user input used in log entries.
- * DEPRECATED: Use `LogInjectionFlow`
- */
-deprecated class LogInjectionConfiguration extends TaintTracking::Configuration {
-  LogInjectionConfiguration() { this = "LogInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 /**
 * A source of remote user controlled input.
 */
--- a/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll
@@ -12,23 +12,6 @@ private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking

-/**
- * A taint-tracking configuration for reasoning about path injection
- * vulnerabilities.
- * DEPRECATED: Use `PathInjectionFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "PathInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof PathInjection::Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof PathInjection::Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof Path::PathSanitization or node instanceof PathInjection::Sanitizer
-  }
-}
-
 private module PathInjectionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof PathInjection::Source }

--- a/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll
@@ -10,32 +10,6 @@ private import codeql.ruby.AST
 import codeql.ruby.DataFlow
 import codeql.ruby.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
- * DEPRECATED: Use `ReflectedXssFlow`
- */
-deprecated module ReflectedXss {
-  import XSS::ReflectedXss
-
-  /**
-   * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
-   * DEPRECATED: Use `ReflectedXssFlow`
-   */
-  deprecated class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "ReflectedXSS" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-      isAdditionalXssTaintStep(node1, node2)
-    }
-  }
-}
-
 private module ReflectedXssConfig implements DataFlow::ConfigSig {
  private import XSS::ReflectedXss as RX

--- a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll
@@ -10,27 +10,6 @@
 private import ruby
 private import codeql.ruby.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting flow of query string
- * data to sensitive actions in GET query request handlers.
- * DEPRECATED: Use `SensitiveGetQueryFlow`
- */
-deprecated module SensitiveGetQuery {
-  import SensitiveGetQueryCustomizations::SensitiveGetQuery
-
-  /**
-   * A taint-tracking configuration for reasoning about use of sensitive data
-   * from a GET request query string.
-   */
-  deprecated class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "SensitiveGetQuery" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-  }
-}
-
 private module SensitiveGetQueryConfig implements DataFlow::ConfigSig {
  import SensitiveGetQueryCustomizations::SensitiveGetQuery

--- a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll
@@ -12,25 +12,6 @@ import codeql.ruby.TaintTracking
 import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
 import codeql.ruby.dataflow.BarrierGuards

-/**
- * A taint-tracking configuration for detecting
- * "Server side request forgery" vulnerabilities.
- * DEPRECATED: Use `ServerSideRequestForgeryFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "ServerSideRequestForgery" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof Sanitizer or
-    node instanceof StringConstCompareBarrier or
-    node instanceof StringConstArrayInclusionCallBarrier
-  }
-}
-
 private module ServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll
@@ -7,20 +7,6 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking
 import SqlInjectionCustomizations::SqlInjection

-/**
- * A taint-tracking configuration for detecting SQL injection vulnerabilities.
- * DEPRECATED: Use `SqlInjectionFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "SqlInjectionConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module SqlInjectionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll
@@ -11,20 +11,6 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking
 private import StackTraceExposureCustomizations::StackTraceExposure

-/**
- * A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
- * DEPRECATED: Use `StackTraceExposureFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "StackTraceExposure" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module StackTraceExposureConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll
@@ -25,19 +25,3 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig {
 * Taint-tracking for format injections.
 */
 module TaintedFormatStringFlow = TaintTracking::Global<TaintedFormatStringConfig>;
-
-/**
- * DEPRECATED. Use the `TaintedFormatStringFlow` module instead.
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "TaintedFormatString" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof Sanitizer
-  }
-}
--- a/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll
@@ -7,20 +7,6 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking
 import TemplateInjectionCustomizations::TemplateInjection

-/**
- * A taint-tracking configuration for detecting Server Side Template Injections vulnerabilities.
- * DEPRECATED: Use `TemplateInjectionFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "TemplateInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module TemplateInjectionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll
@@ -12,28 +12,6 @@ import UnsafeCodeConstructionCustomizations::UnsafeCodeConstruction
 private import codeql.ruby.TaintTracking
 private import codeql.ruby.dataflow.BarrierGuards

-/**
- * A taint-tracking configuration for detecting code constructed from library input vulnerabilities.
- * DEPRECATED: Use `UnsafeCodeConstructionFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnsafeShellCommandConstruction" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof StringConstCompareBarrier or
-    node instanceof StringConstArrayInclusionCallBarrier
-  }
-
-  // override to require the path doesn't have unmatched return steps
-  override DataFlow::FlowFeature getAFeature() {
-    result instanceof DataFlow::FeatureHasSourceCallContext
-  }
-}
-
 private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
@@ -11,25 +11,6 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking
 import UnsafeDeserializationCustomizations

-/**
- * A taint-tracking configuration for reasoning about unsafe deserialization.
- * DEPRECATED: Use `UnsafeDeserializationFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnsafeDeserialization" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof UnsafeDeserialization::Source
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserialization::Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof UnsafeDeserialization::Sanitizer
-  }
-}
-
 private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof UnsafeDeserialization::Source }

--- a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll
@@ -12,25 +12,6 @@ import UnsafeHtmlConstructionCustomizations::UnsafeHtmlConstruction
 private import codeql.ruby.TaintTracking
 private import codeql.ruby.dataflow.BarrierGuards

-/**
- * A taint-tracking configuration for detecting unsafe HTML construction.
- * DEPRECATED: Use `UnsafeHtmlConstructionFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnsafeHtmlConstruction" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-  // override to require the path doesn't have unmatched return steps
-  override DataFlow::FlowFeature getAFeature() {
-    result instanceof DataFlow::FeatureHasSourceCallContext
-  }
-}
-
 private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll
@@ -13,29 +13,6 @@ private import codeql.ruby.TaintTracking
 private import CommandInjectionCustomizations::CommandInjection as CommandInjection
 private import codeql.ruby.dataflow.BarrierGuards

-/**
- * A taint-tracking configuration for detecting shell command constructed from library input vulnerabilities.
- * DEPRECATED: Use `UnsafeShellCommandConstructionFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnsafeShellCommandConstruction" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof CommandInjection::Sanitizer or // using all sanitizers from `rb/command-injection`
-    node instanceof StringConstCompareBarrier or
-    node instanceof StringConstArrayInclusionCallBarrier
-  }
-
-  // override to require the path doesn't have unmatched return steps
-  override DataFlow::FlowFeature getAFeature() {
-    result instanceof DataFlow::FeatureHasSourceCallContext
-  }
-}
-
 private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll
@@ -12,24 +12,6 @@ import codeql.ruby.TaintTracking
 import UrlRedirectCustomizations
 import UrlRedirectCustomizations::UrlRedirect

-/**
- * A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
- * DEPRECATED: Use `UrlRedirectFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UrlRedirect" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    UrlRedirect::isAdditionalTaintStep(node1, node2)
-  }
-}
-
 private module UrlRedirectConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll
@@ -11,21 +11,6 @@ import ruby
 import codeql.ruby.TaintTracking
 import MissingFullAnchorCustomizations::MissingFullAnchor

-/**
- * A taint tracking configuration for reasoning about
- * missing full-anchored regular expressions.
- * DEPRECATED: Use `MissingFullAnchorFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "MissingFullAnchor" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 private module MissingFullAnchorConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll
@@ -10,30 +10,6 @@
 private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking

-/**
- * Provides a taint-tracking configuration for detecting polynomial regular
- * expression denial of service vulnerabilities.
- * DEPRECATED: Use `PolynomialReDoSFlow`
- */
-deprecated module PolynomialReDoS {
-  import PolynomialReDoSCustomizations::PolynomialReDoS
-
-  /**
-   * A taint-tracking configuration for detecting polynomial regular expression
-   * denial of service vulnerabilities.
-   * DEPRECATED: Use `PolynomialReDoSFlow`
-   */
-  deprecated class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "PolynomialReDoS" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  }
-}
-
 private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
  private import PolynomialReDoSCustomizations::PolynomialReDoS

--- a/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll
@@ -11,20 +11,6 @@ import codeql.ruby.TaintTracking
 import RegExpInjectionCustomizations
 import codeql.ruby.dataflow.BarrierGuards

-/**
- * A taint-tracking configuration for detecting regexp injection vulnerabilities.
- * DEPRECATED: Use `RegExpInjectionFlow`
- */
-deprecated class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "RegExpInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RegExpInjection::Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RegExpInjection::Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof RegExpInjection::Sanitizer }
-}
-
 private module RegExpInjectionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof RegExpInjection::Source }