Python: Solve deprecation warnings for old experimental queries

python/ql/src/experimental/Security/CWE-074/TemplateInjection.ql

@@ -21,11 +21,11 @@ import semmle.python.security.strings.Untrusted
 class TemplateInjectionConfiguration extends TaintTracking::Configuration {
   TemplateInjectionConfiguration() { this = "Template injection configuration" }
 
-  override predicate isSource(TaintTracking::Source source) {
+  deprecated override predicate isSource(TaintTracking::Source source) {
     source instanceof HttpRequestTaintSource
   }
 
-  override predicate isSink(TaintTracking::Sink sink) { sink instanceof SSTISink }
+  deprecated override predicate isSink(TaintTracking::Sink sink) { sink instanceof SSTISink }
 }
 
 from TemplateInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink

python/ql/src/experimental/Security/CWE-091/Xslt.ql

@@ -20,11 +20,11 @@ import experimental.semmle.python.security.injection.XSLT
 class XSLTInjectionConfiguration extends TaintTracking::Configuration {
   XSLTInjectionConfiguration() { this = "XSLT injection configuration" }
 
-  override predicate isSource(TaintTracking::Source source) {
+  deprecated override predicate isSource(TaintTracking::Source source) {
     source instanceof HttpRequestTaintSource
   }
 
-  override predicate isSink(TaintTracking::Sink sink) {
+  deprecated override predicate isSink(TaintTracking::Sink sink) {
     sink instanceof XSLTInjection::XSLTInjectionSink
   }
 }

python/ql/src/experimental/semmle/python/security/injection/XSLT.qll

@@ -21,7 +21,7 @@ module XSLTInjection {
   /**
    * A kind of "taint", representing an untrusted XML string
    */
-  private class ExternalXmlStringKind extends ExternalStringKind {
+  deprecated private class ExternalXmlStringKind extends ExternalStringKind {
     ExternalXmlStringKind() { this = "etree.XML string" }
 
     override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {

python/ql/src/experimental/semmle/python/templates/Airspeed.qll

@@ -5,7 +5,7 @@ import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
 /** returns the ClassValue representing `airspeed.Template` */
-ClassValue theAirspeedTemplateClass() { result = Value::named("airspeed.Template") }
+deprecated ClassValue theAirspeedTemplateClass() { result = Value::named("airspeed.Template") }
 
 /**
  * Sink representing the `airspeed.Template` class instantiation argument.
@@ -13,7 +13,7 @@ ClassValue theAirspeedTemplateClass() { result = Value::named("airspeed.Template
  *  import airspeed
  *  temp = airspeed.Template(`"sink"`)
  */
-class AirspeedTemplateSink extends SSTISink {
+deprecated class AirspeedTemplateSink extends SSTISink {
   override string toString() { result = "argument to airspeed.Template()" }
 
   AirspeedTemplateSink() {

python/ql/src/experimental/semmle/python/templates/Bottle.qll

@@ -5,7 +5,9 @@ import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
 /** returns the ClassValue representing `bottle.SimpleTemplate` */
-ClassValue theBottleSimpleTemplateClass() { result = Value::named("bottle.SimpleTemplate") }
+deprecated ClassValue theBottleSimpleTemplateClass() {
+  result = Value::named("bottle.SimpleTemplate")
+}
 
 /**
  * Sink representing the `bottle.SimpleTemplate` class instantiation argument.
@@ -13,7 +15,7 @@ ClassValue theBottleSimpleTemplateClass() { result = Value::named("bottle.Simple
  *  from bottle import SimpleTemplate
  *  template = SimpleTemplate(`sink`)
  */
-class BottleSimpleTemplateSink extends SSTISink {
+deprecated class BottleSimpleTemplateSink extends SSTISink {
   override string toString() { result = "argument to bottle.SimpleTemplate()" }
 
   BottleSimpleTemplateSink() {
@@ -32,7 +34,7 @@ class BottleSimpleTemplateSink extends SSTISink {
  *  from bottle import template
  *  tmp = template(`sink`)
  */
-class BottleTemplateSink extends SSTISink {
+deprecated class BottleTemplateSink extends SSTISink {
   override string toString() { result = "argument to bottle.template()" }
 
   BottleTemplateSink() {

python/ql/src/experimental/semmle/python/templates/Chameleon.qll

@@ -5,7 +5,9 @@ import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
 /** returns the ClassValue representing `chameleon.PageTemplate` */
-ClassValue theChameleonPageTemplateClass() { result = Value::named("chameleon.PageTemplate") }
+deprecated ClassValue theChameleonPageTemplateClass() {
+  result = Value::named("chameleon.PageTemplate")
+}
 
 /**
  * Sink representing the `chameleon.PageTemplate` class instantiation argument.
@@ -13,7 +15,7 @@ ClassValue theChameleonPageTemplateClass() { result = Value::named("chameleon.Pa
  *  from chameleon import PageTemplate
  *  template = PageTemplate(`sink`)
  */
-class ChameleonTemplateSink extends SSTISink {
+deprecated class ChameleonTemplateSink extends SSTISink {
   override string toString() { result = "argument to Chameleon.PageTemplate()" }
 
   ChameleonTemplateSink() {

python/ql/src/experimental/semmle/python/templates/Cheetah.qll

@@ -5,7 +5,9 @@ import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
 /** returns the ClassValue representing `Cheetah.Template.Template` */
-ClassValue theCheetahTemplateClass() { result = Value::named("Cheetah.Template.Template") }
+deprecated ClassValue theCheetahTemplateClass() {
+  result = Value::named("Cheetah.Template.Template")
+}
 
 /**
  * Sink representing the instantiation argument of any class which derives from
@@ -22,7 +24,7 @@ ClassValue theCheetahTemplateClass() { result = Value::named("Cheetah.Template.T
  *  from Cheetah.Template import Template
  *  t3 = Template("sink")
  */
-class CheetahTemplateInstantiationSink extends SSTISink {
+deprecated class CheetahTemplateInstantiationSink extends SSTISink {
   override string toString() { result = "argument to Cheetah.Template.Template()" }
 
   CheetahTemplateInstantiationSink() {

python/ql/src/experimental/semmle/python/templates/Chevron.qll

@@ -5,7 +5,7 @@ import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
 /** returns the Value representing `chevron.render` function */
-Value theChevronRenderFunc() { result = Value::named("chevron.render") }
+deprecated Value theChevronRenderFunc() { result = Value::named("chevron.render") }
 
 /**
  * Sink representing the `chevron.render` function call argument.
@@ -13,7 +13,7 @@ Value theChevronRenderFunc() { result = Value::named("chevron.render") }
  *  import chevron
  *  tmp = chevron.render(`sink`,{ 'key' : 'value' })
  */
-class ChevronRenderSink extends SSTISink {
+deprecated class ChevronRenderSink extends SSTISink {
   override string toString() { result = "argument to chevron.render()" }
 
   ChevronRenderSink() {

python/ql/src/experimental/semmle/python/templates/DjangoTemplate.qll

@@ -4,7 +4,7 @@ import python
 import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
-ClassValue theDjangoTemplateClass() { result = Value::named("django.template.Template") }
+deprecated ClassValue theDjangoTemplateClass() { result = Value::named("django.template.Template") }
 
 /**
  * Sink representng `django.template.Template` class instantiation argument.
@@ -12,7 +12,7 @@ ClassValue theDjangoTemplateClass() { result = Value::named("django.template.Tem
  *  from django.template import Template
  *  template = Template(`sink`)
  */
-class DjangoTemplateTemplateSink extends SSTISink {
+deprecated class DjangoTemplateTemplateSink extends SSTISink {
   override string toString() { result = "argument to Django.template()" }
 
   DjangoTemplateTemplateSink() {

python/ql/src/experimental/semmle/python/templates/FlaskTemplate.qll

@@ -4,7 +4,9 @@ import python
 import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
-Value theFlaskRenderTemplateClass() { result = Value::named("flask.render_template_string") }
+deprecated Value theFlaskRenderTemplateClass() {
+  result = Value::named("flask.render_template_string")
+}
 
 /**
  * Sink representng `flask.render_template_string` function call argument.
@@ -12,7 +14,7 @@ Value theFlaskRenderTemplateClass() { result = Value::named("flask.render_templa
  *  from flask import render_template_string
  *  render_template_string(`sink`)
  */
-class FlaskTemplateSink extends SSTISink {
+deprecated class FlaskTemplateSink extends SSTISink {
   override string toString() { result = "argument to flask.render_template_string()" }
 
   FlaskTemplateSink() {

python/ql/src/experimental/semmle/python/templates/Genshi.qll

@@ -5,10 +5,12 @@ import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
 /** returns the ClassValue representing `Genshi.template.TextTemplate` */
-ClassValue theGenshiTextTemplateClass() { result = Value::named("genshi.template.TextTemplate") }
+deprecated ClassValue theGenshiTextTemplateClass() {
+  result = Value::named("genshi.template.TextTemplate")
+}
 
 /** returns the ClassValue representing `Genshi.template.MarkupTemplate` */
-ClassValue theGenshiMarkupTemplateClass() {
+deprecated ClassValue theGenshiMarkupTemplateClass() {
   result = Value::named("genshi.template.MarkupTemplate")
 }
 
@@ -18,7 +20,7 @@ ClassValue theGenshiMarkupTemplateClass() {
  *  from genshi.template import TextTemplate
  *  tmpl = TextTemplate('sink')
  */
-class GenshiTextTemplateSink extends SSTISink {
+deprecated class GenshiTextTemplateSink extends SSTISink {
   override string toString() { result = "argument to genshi.template.TextTemplate()" }
 
   GenshiTextTemplateSink() {
@@ -37,7 +39,7 @@ class GenshiTextTemplateSink extends SSTISink {
  *  from genshi.template import MarkupTemplate
  *  tmpl = MarkupTemplate('sink')
  */
-class GenshiMarkupTemplateSink extends SSTISink {
+deprecated class GenshiMarkupTemplateSink extends SSTISink {
   override string toString() { result = "argument to genshi.template.MarkupTemplate()" }
 
   GenshiMarkupTemplateSink() {

python/ql/src/experimental/semmle/python/templates/Jinja.qll

@@ -5,10 +5,10 @@ import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
 /** returns the ClassValue representing `jinja2.Template` */
-ClassValue theJinja2TemplateClass() { result = Value::named("jinja2.Template") }
+deprecated ClassValue theJinja2TemplateClass() { result = Value::named("jinja2.Template") }
 
 /** returns the ClassValue representing `jinja2.Template` */
-Value theJinja2FromStringValue() { result = Value::named("jinja2.from_string") }
+deprecated Value theJinja2FromStringValue() { result = Value::named("jinja2.from_string") }
 
 /**
  * Sink representing the `jinja2.Template` class instantiation argument.
@@ -16,7 +16,7 @@ Value theJinja2FromStringValue() { result = Value::named("jinja2.from_string") }
  *  from jinja2 import Template
  *  template = Template(`sink`)
  */
-class Jinja2TemplateSink extends SSTISink {
+deprecated class Jinja2TemplateSink extends SSTISink {
   override string toString() { result = "argument to jinja2.Template()" }
 
   Jinja2TemplateSink() {
@@ -35,7 +35,7 @@ class Jinja2TemplateSink extends SSTISink {
  *  from jinja2 import from_string
  *  template = from_string(`sink`)
  */
-class Jinja2FromStringSink extends SSTISink {
+deprecated class Jinja2FromStringSink extends SSTISink {
   override string toString() { result = "argument to jinja2.from_string()" }
 
   Jinja2FromStringSink() {

python/ql/src/experimental/semmle/python/templates/Mako.qll

@@ -5,7 +5,7 @@ import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
 /** returns the ClassValue representing `mako.template.Template` */
-ClassValue theMakoTemplateClass() { result = Value::named("mako.template.Template") }
+deprecated ClassValue theMakoTemplateClass() { result = Value::named("mako.template.Template") }
 
 /**
  * Sink representing the `mako.template.Template` class instantiation argument.
@@ -13,7 +13,7 @@ ClassValue theMakoTemplateClass() { result = Value::named("mako.template.Templat
  *  from mako.template import Template
  *  mytemplate = Template("hello world!")
  */
-class MakoTemplateSink extends SSTISink {
+deprecated class MakoTemplateSink extends SSTISink {
   override string toString() { result = "argument to mako.template.Template()" }
 
   MakoTemplateSink() {

python/ql/src/experimental/semmle/python/templates/SSTISink.qll

@@ -4,4 +4,4 @@ import semmle.python.dataflow.TaintTracking
  * A generic taint sink that is vulnerable to template inclusions.
  * The `temp` in `jinja2.Template(temp)` and similar.
  */
-abstract class SSTISink extends TaintSink { }
+abstract deprecated class SSTISink extends TaintSink { }

python/ql/src/experimental/semmle/python/templates/TRender.qll

@@ -5,7 +5,7 @@ import semmle.python.web.HttpRequest
 import experimental.semmle.python.templates.SSTISink
 
 /** returns the ClassValue representing `trender.TRender` */
-ClassValue theTRenderTemplateClass() { result = Value::named("trender.TRender") }
+deprecated ClassValue theTRenderTemplateClass() { result = Value::named("trender.TRender") }
 
 /**
  * Sink representing the `trender.TRender` class instantiation argument.
@@ -13,7 +13,7 @@ ClassValue theTRenderTemplateClass() { result = Value::named("trender.TRender")
  *  from trender import TRender
  *  template = TRender(`sink`)
  */
-class TRenderTemplateSink extends SSTISink {
+deprecated class TRenderTemplateSink extends SSTISink {
   override string toString() { result = "argument to trender.TRender()" }
 
   TRenderTemplateSink() {

python/ql/test/experimental/semmle/python/templates/AirspeedSSTISinks.expected

@@ -1 +1,2 @@
+WARNING: Type SSTISink has been deprecated and may be removed in future (AirspeedSSTISinks.ql:4,6-14)
 | Airspeed.py:10:30:10:35 | argument to airspeed.Template() |

python/ql/test/experimental/semmle/python/templates/BottleSSTISinks.expected

@@ -1,2 +1,3 @@
+WARNING: Type SSTISink has been deprecated and may be removed in future (BottleSSTISinks.ql:4,6-14)
 | Bottle.py:11:26:11:33 | argument to bottle.SimpleTemplate() |
 | Bottle.py:17:17:17:24 | argument to bottle.template() |

python/ql/test/experimental/semmle/python/templates/ChameleonSSTISinks.expected

@@ -1 +1,2 @@
+WARNING: Type SSTISink has been deprecated and may be removed in future (ChameleonSSTISinks.ql:4,6-14)
 | Chameleon.py:5:29:5:34 | argument to Chameleon.PageTemplate() |

python/ql/test/experimental/semmle/python/templates/CheetahSSTISinks.expected

@@ -1,2 +1,3 @@
+WARNING: Type SSTISink has been deprecated and may be removed in future (CheetahSSTISinks.ql:4,6-14)
 | CheetahSinks.py:10:21:10:26 | argument to Cheetah.Template.Template() |
 | CheetahSinks.py:20:20:20:25 | argument to Cheetah.Template.Template() |

python/ql/test/experimental/semmle/python/templates/ChevronSSTISinks.expected

@@ -1 +1,2 @@
+WARNING: Type SSTISink has been deprecated and may be removed in future (ChevronSSTISinks.ql:4,6-14)
 | ChevronSinks.py:10:27:10:32 | argument to chevron.render() |

python/ql/test/experimental/semmle/python/templates/DjangoSSTISinks.expected

@@ -1 +1,2 @@
+WARNING: Type SSTISink has been deprecated and may be removed in future (DjangoSSTISinks.ql:4,6-14)
 | DjangoTemplates.py:9:18:9:25 | argument to Django.template() |

python/ql/test/experimental/semmle/python/templates/GenshiSSTISinks.expected

@@ -1,2 +1,3 @@
+WARNING: Type SSTISink has been deprecated and may be removed in future (GenshiSSTISinks.ql:4,6-14)
 | Genshi.py:5:27:5:32 | argument to genshi.template.MarkupTemplate() |
 | Genshi.py:10:25:10:30 | argument to genshi.template.TextTemplate() |

python/ql/test/experimental/semmle/python/templates/JinjaSSTISinks.expected

@@ -1,3 +1,4 @@
+WARNING: Type SSTISink has been deprecated and may be removed in future (JinjaSSTISinks.ql:4,6-14)
 | Jinja2Templates.py:6:25:6:30 | argument to jinja2.Template() |
 | Jinja2Templates.py:11:25:11:30 | argument to jinja2.Template() |
 | Jinja2Templates.py:16:25:16:37 | argument to jinja2.Template() |

python/ql/test/experimental/semmle/python/templates/MakoSSTISinks.expected

@@ -1 +1,2 @@
+WARNING: Type SSTISink has been deprecated and may be removed in future (MakoSSTISinks.ql:4,6-14)
 | Mako.py:5:27:5:32 | argument to mako.template.Template() |

python/ql/test/experimental/semmle/python/templates/TRenderSSTISinks.expected

@@ -1 +1,2 @@
+WARNING: Type SSTISink has been deprecated and may be removed in future (TRenderSSTISinks.ql:4,6-14)
 | TRender.py:6:24:6:31 | argument to trender.TRender() |