Java: Deprecate the content of XxeLocalQuery and remove the Xxe local query variant.

2026-04-25 08:45:14 +02:00 · 2024-04-30 10:51:13 +02:00
parent e0c2a43780
commit 93988e5834
3 changed files with 4 additions and 32 deletions
--- a/java/ql/lib/semmle/code/java/security/XxeLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/XxeLocalQuery.qll
@@ -27,7 +27,7 @@ deprecated class XxeLocalConfig extends TaintTracking::Configuration {
 /**
 * A taint-tracking configuration for unvalidated local user input that is used in XML external entity expansion.
 */
-module XxeLocalConfig implements DataFlow::ConfigSig {
+deprecated module XxeLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
@@ -40,6 +40,8 @@ module XxeLocalConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `XxeFlow` instead and configure threat model sources to include `local`.
+ *
 * Detect taint flow of unvalidated local user input that is used in XML external entity expansion.
 */
-module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
+deprecated module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
--- a/java/ql/src/Security/CWE/CWE-611/XXELocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-611/XXELocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="XXE.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-611/XXELocal.ql
+++ b/java/ql/src/Security/CWE/CWE-611/XXELocal.ql
@@ -1,25 +0,0 @@
-/**
- * @name Resolving XML external entity in user-controlled data from local source
- * @description Parsing user-controlled XML documents and allowing expansion of external entity
- * references may lead to disclosure of confidential data or denial of service.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 9.1
- * @precision medium
- * @id java/xxe-local
- * @tags security
- *       external/cwe/cwe-611
- *       external/cwe/cwe-776
- *       external/cwe/cwe-827
- */
-
-import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.security.XxeLocalQuery
-import XxeLocalFlow::PathGraph
-
-from XxeLocalFlow::PathNode source, XxeLocalFlow::PathNode sink
-where XxeLocalFlow::flowPath(source, sink)
-select sink.getNode(), source, sink,
-  "XML parsing depends on a $@ without guarding against external entity expansion.",
-  source.getNode(), "user-provided value"