Merge branch 'main' into shared-http-client-request

python/ql/src/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.4.2
+
+### New Queries
+
+* Added a new query, `py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match 
+  too many characters.
+
 ## 0.4.1
 
 ## 0.4.0

python/ql/src/Exceptions/EmptyExcept.ql

@@ -12,6 +12,7 @@
  */
 
 import python
+import semmle.python.ApiGraphs
 
 predicate empty_except(ExceptStmt ex) {
   not exists(Stmt s | s = ex.getAStmt() and not s instanceof Pass)
@@ -28,7 +29,7 @@ predicate no_comment(ExceptStmt ex) {
 }
 
 predicate non_local_control_flow(ExceptStmt ex) {
-  ex.getType().pointsTo(ClassValue::stopIteration())
+  ex.getType() = API::builtin("StopIteration").getAValueReachableFromSource().asExpr()
 }
 
 predicate try_has_normal_exit(Try try) {
@@ -61,27 +62,32 @@ predicate subscript(Stmt s) {
   s.(Delete).getATarget() instanceof Subscript
 }
 
-predicate encode_decode(Call ex, ClassValue type) {
+predicate encode_decode(Call ex, Expr type) {
   exists(string name | ex.getFunc().(Attribute).getName() = name |
-    name = "encode" and type = ClassValue::unicodeEncodeError()
+    name = "encode" and
+    type = API::builtin("UnicodeEncodeError").getAValueReachableFromSource().asExpr()
     or
-    name = "decode" and type = ClassValue::unicodeDecodeError()
+    name = "decode" and
+    type = API::builtin("UnicodeDecodeError").getAValueReachableFromSource().asExpr()
   )
 }
 
-predicate small_handler(ExceptStmt ex, Stmt s, ClassValue type) {
+predicate small_handler(ExceptStmt ex, Stmt s, Expr type) {
   not exists(ex.getTry().getStmt(1)) and
   s = ex.getTry().getStmt(0) and
-  ex.getType().pointsTo(type)
+  ex.getType() = type
 }
 
 predicate focussed_handler(ExceptStmt ex) {
-  exists(Stmt s, ClassValue type | small_handler(ex, s, type) |
-    subscript(s) and type.getASuperType() = ClassValue::lookupError()
+  exists(Stmt s, Expr type | small_handler(ex, s, type) |
+    subscript(s) and
+    type = API::builtin("IndexError").getASubclass*().getAValueReachableFromSource().asExpr()
     or
-    attribute_access(s) and type = ClassValue::attributeError()
+    attribute_access(s) and
+    type = API::builtin("AttributeError").getAValueReachableFromSource().asExpr()
     or
-    s.(ExprStmt).getValue() instanceof Name and type = ClassValue::nameError()
+    s.(ExprStmt).getValue() instanceof Name and
+    type = API::builtin("NameError").getAValueReachableFromSource().asExpr()
     or
     encode_decode(s.(ExprStmt).getValue(), type)
   )

python/ql/src/Functions/ModificationOfParameterWithDefault.ql

@@ -19,5 +19,5 @@ from
   ModificationOfParameterWithDefault::Configuration config, DataFlow::PathNode source,
   DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is mutated.", source.getNode(),
-  "Default value"
+select sink.getNode(), source, sink, "This expression mutates $@.", source.getNode(),
+  "a default value"

python/ql/src/Lexical/CommentedOutCode.ql

@@ -16,4 +16,4 @@ import Lexical.CommentedOutCode
 
 from CommentedOutCodeBlock c
 where not c.maybeExampleCode()
-select c, "These comments appear to contain commented-out code."
+select c, "This comment appears to contain commented-out code."

python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll

@@ -129,7 +129,9 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
 /** DEPRECATED: Alias for UntrustedExternalApiDataNode */
 deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
 
+/** An external API which is used with untrusted data. */
 private newtype TExternalApi =
+  /** An untrusted API method `m` where untrusted data is passed at `index`. */
   TExternalApiParameter(DataFlowPrivate::DataFlowCallable callable, int index) {
     exists(UntrustedExternalApiDataNode n |
       callable = n.getCallable() and

python/ql/src/Security/CWE-022/TarSlip.ql

@@ -18,5 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Extraction of tarfile from $@", source.getNode(),
+select sink.getNode(), source, sink, "This file extraction depends on $@", source.getNode(),
   "a potentially untrusted source"

python/ql/src/Security/CWE-078/CommandInjection.ql

@@ -20,5 +20,5 @@ import DataFlow::PathGraph
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
+select sink.getNode(), source, sink, "This command line depends on $@.", source.getNode(),
   "a user-provided value"

python/ql/src/Security/CWE-090/LdapInjection.ql

@@ -23,6 +23,5 @@ where
   or
   any(FilterConfiguration filterConfig).hasFlowPath(source, sink) and
   parameterName = "filter"
-select sink.getNode(), source, sink,
-  "$@ LDAP query parameter (" + parameterName + ") comes from $@.", sink.getNode(), "This",
-  source.getNode(), "a user-provided value"
+select sink.getNode(), source, sink, "$@ depends on $@.", sink.getNode(),
+  "LDAP query parameter (" + parameterName + ")", source.getNode(), "a user-provided value"

python/ql/src/Security/CWE-094/CodeInjection.ql

@@ -20,5 +20,5 @@ import DataFlow::PathGraph
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
-  source.getNode(), "A user-provided value"
+select sink.getNode(), source, sink, "This code execution depends on $@.", source.getNode(),
+  "a user-provided value"

python/ql/src/Security/CWE-117/LogInjection.ql

@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to log entry.", source.getNode(),
-  "User-provided value"
+select sink.getNode(), source, sink, "This log entry depends on $@.", source.getNode(),
+  "a user-provided value"

python/ql/src/Security/CWE-209/StackTraceExposure.ql

@@ -19,5 +19,6 @@ import DataFlow::PathGraph
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ may be exposed to an external user", source.getNode(),
-  "Error information"
+select sink.getNode(), source, sink,
+  "$@ flows to this location and may be exposed to an external user.", source.getNode(),
+  "Stack trace information"

python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql

@@ -19,14 +19,14 @@ private API::Node unsafe_paramiko_policy(string name) {
   result = API::moduleImport("paramiko").getMember("client").getMember(name)
 }
 
-private API::Node paramikoSSHClientInstance() {
+private API::Node paramikoSshClientInstance() {
   result = API::moduleImport("paramiko").getMember("client").getMember("SSHClient").getReturn()
 }
 
 from DataFlow::CallCfgNode call, DataFlow::Node arg, string name
 where
   // see http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.set_missing_host_key_policy
-  call = paramikoSSHClientInstance().getMember("set_missing_host_key_policy").getACall() and
+  call = paramikoSshClientInstance().getMember("set_missing_host_key_policy").getACall() and
   arg in [call.getArg(0), call.getArgByName("policy")] and
   (
     arg = unsafe_paramiko_policy(name).getAValueReachableFromSource() or

python/ql/src/Security/CWE-312/CleartextLogging.ql

@@ -22,5 +22,5 @@ from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, s
 where
   config.hasFlowPath(source, sink) and
   classification = source.getNode().(Source).getClassification()
-select sink.getNode(), source, sink, "$@ is logged here.", source.getNode(),
-  "Sensitive data (" + classification + ")"
+select sink.getNode(), source, sink, "This log entry depends on $@.", source.getNode(),
+  "sensitive data (" + classification + ")"

python/ql/src/Security/CWE-312/CleartextStorage.ql

@@ -22,5 +22,5 @@ from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, s
 where
   config.hasFlowPath(source, sink) and
   classification = source.getNode().(Source).getClassification()
-select sink.getNode(), source, sink, "$@ is stored here.", source.getNode(),
-  "Sensitive data (" + classification + ")"
+select sink.getNode(), source, sink, "This data storage depends on $@.", source.getNode(),
+  "sensitive data (" + classification + ")"

python/ql/src/Security/CWE-327/PyOpenSSL.qll

@@ -7,13 +7,13 @@ private import python
 private import semmle.python.ApiGraphs
 import TlsLibraryModel
 
-class PyOpenSSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
-  PyOpenSSLContextCreation() {
+class PyOpenSslContextCreation extends ContextCreation, DataFlow::CallCfgNode {
+  PyOpenSslContextCreation() {
     this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Context").getACall()
   }
 
   override string getProtocol() {
-    exists(DataFlow::Node protocolArg, PyOpenSSL pyo |
+    exists(DataFlow::Node protocolArg, PyOpenSsl pyo |
       protocolArg in [this.getArg(0), this.getArgByName("method")]
     |
       protocolArg in [
@@ -51,12 +51,12 @@ class SetOptionsCall extends ProtocolRestriction, DataFlow::CallCfgNode {
   }
 }
 
-class UnspecificPyOpenSSLContextCreation extends PyOpenSSLContextCreation, UnspecificContextCreation {
-  UnspecificPyOpenSSLContextCreation() { library instanceof PyOpenSSL }
+class UnspecificPyOpenSslContextCreation extends PyOpenSslContextCreation, UnspecificContextCreation {
+  UnspecificPyOpenSslContextCreation() { library instanceof PyOpenSsl }
 }
 
-class PyOpenSSL extends TlsLibrary {
-  PyOpenSSL() { this = "pyOpenSSL" }
+class PyOpenSsl extends TlsLibrary {
+  PyOpenSsl() { this = "pyOpenSSL" }
 
   override string specific_version_name(ProtocolVersion version) { result = version + "_METHOD" }
 
@@ -70,7 +70,7 @@ class PyOpenSSL extends TlsLibrary {
   override ContextCreation default_context_creation() { none() }
 
   override ContextCreation specific_context_creation() {
-    result instanceof PyOpenSSLContextCreation
+    result instanceof PyOpenSslContextCreation
   }
 
   override DataFlow::Node insecure_connection_creation(ProtocolVersion version) { none() }
@@ -80,6 +80,6 @@ class PyOpenSSL extends TlsLibrary {
   override ProtocolRestriction protocol_restriction() { result instanceof SetOptionsCall }
 
   override ProtocolUnrestriction protocol_unrestriction() {
-    result instanceof UnspecificPyOpenSSLContextCreation
+    result instanceof UnspecificPyOpenSslContextCreation
   }
 }

python/ql/src/Security/CWE-327/Ssl.qll

@@ -7,8 +7,8 @@ private import python
 private import semmle.python.ApiGraphs
 import TlsLibraryModel
 
-class SSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
-  SSLContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
+class SslContextCreation extends ContextCreation, DataFlow::CallCfgNode {
+  SslContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
 
   override string getProtocol() {
     exists(DataFlow::Node protocolArg, Ssl ssl |
@@ -27,8 +27,8 @@ class SSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
   }
 }
 
-class SSLDefaultContextCreation extends ContextCreation {
-  SSLDefaultContextCreation() {
+class SslDefaultContextCreation extends ContextCreation {
+  SslDefaultContextCreation() {
     this = API::moduleImport("ssl").getMember("create_default_context").getACall()
   }
 
@@ -161,8 +161,8 @@ class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction, Data
   }
 }
 
-class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContextCreation {
-  UnspecificSSLContextCreation() { library instanceof Ssl }
+class UnspecificSslContextCreation extends SslContextCreation, UnspecificContextCreation {
+  UnspecificSslContextCreation() { library instanceof Ssl }
 
   override ProtocolVersion getUnrestriction() {
     result = UnspecificContextCreation.super.getUnrestriction() and
@@ -172,7 +172,7 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
   }
 }
 
-class UnspecificSSLDefaultContextCreation extends SSLDefaultContextCreation, ProtocolUnrestriction {
+class UnspecificSslDefaultContextCreation extends SslDefaultContextCreation, ProtocolUnrestriction {
   override DataFlow::Node getContext() { result = this }
 
   // see https://docs.python.org/3/library/ssl.html#ssl.create_default_context
@@ -195,10 +195,10 @@ class Ssl extends TlsLibrary {
   override API::Node version_constants() { result = API::moduleImport("ssl") }
 
   override ContextCreation default_context_creation() {
-    result instanceof SSLDefaultContextCreation
+    result instanceof SslDefaultContextCreation
   }
 
-  override ContextCreation specific_context_creation() { result instanceof SSLContextCreation }
+  override ContextCreation specific_context_creation() { result instanceof SslContextCreation }
 
   override DataFlow::CallCfgNode insecure_connection_creation(ProtocolVersion version) {
     result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
@@ -220,8 +220,8 @@ class Ssl extends TlsLibrary {
     or
     result instanceof ContextSetVersion
     or
-    result instanceof UnspecificSSLContextCreation
+    result instanceof UnspecificSslContextCreation
     or
-    result instanceof UnspecificSSLDefaultContextCreation
+    result instanceof UnspecificSslDefaultContextCreation
   }
 }

python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql

@@ -36,14 +36,14 @@ where
       source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
     (
       sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
-      ending = "."
+      ending = ""
       or
       not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
       ending =
-        " for " + classification +
+        " The algorithm is insufficient for " + classification +
           " hashing, since it is not a computationally expensive hash function."
     )
   )
 select sink.getNode(), source, sink,
-  "$@ is used in a hashing algorithm (" + algorithmName + ") that is insecure" + ending,
-  source.getNode(), "Sensitive data (" + classification + ")"
+  "Insecure hashing algorithm (" + algorithmName + ") depends on $@." + ending, source.getNode(),
+  "sensitive data (" + classification + ")"

python/ql/src/Security/CWE-502/UnsafeDeserialization.ql

@@ -18,4 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Deserializing of $@.", source.getNode(), "untrusted input"
+select sink.getNode(), source, sink, "Unsafe deserialization depends on $@.", source.getNode(),
+  "a user-provided value"

python/ql/src/Security/CWE-601/UrlRedirect.ql

@@ -18,5 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(),
-  "A user-provided value"
+select sink.getNode(), source, sink, "Untrusted URL redirection depends on $@.", source.getNode(),
+  "a user-provided value"

python/ql/src/Security/CWE-611/Xxe.ql

@@ -19,5 +19,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "A $@ is parsed as XML without guarding against external entity expansion.", source.getNode(),
-  "user-provided value"
+  "XML parsing depends on $@ without guarding against external entity expansion.", source.getNode(),
+  "a user-provided value"

python/ql/src/Security/CWE-643/XpathInjection.ql

@@ -17,4 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink, source, sink, "This Xpath query depends on $@.", source, "a user-provided value"
+select sink.getNode(), source, sink, "XPath expression depends on $@.", source.getNode(),
+  "a user-provided value"

python/ql/src/Security/CWE-730/PolynomialReDoS.ql

@@ -4,6 +4,7 @@
  *              to match may be vulnerable to denial-of-service attacks.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 7.5
  * @precision high
  * @id py/polynomial-redos
  * @tags security

python/ql/src/Security/CWE-730/ReDoS.ql

@@ -5,6 +5,7 @@
  *              attacks.
  * @kind problem
  * @problem.severity error
+ * @security-severity 7.5
  * @precision high
  * @id py/redos
  * @tags security

python/ql/src/Security/CWE-730/RegexInjection.ql

@@ -5,6 +5,7 @@
  *              exponential time on certain inputs.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 7.5
  * @precision high
  * @id py/regex-injection
  * @tags security
@@ -23,6 +24,6 @@ from
 where
   config.hasFlowPath(source, sink) and
   regexExecution = sink.getNode().(Sink).getRegexExecution()
-select sink.getNode(), source, sink,
-  "$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
-  source.getNode(), "user-provided value", regexExecution, regexExecution.getName()
+select sink.getNode(), source, sink, "$@ depends on $@ and executed by $@.", sink.getNode(),
+  "This regular expression", source.getNode(), "a user-provided value", regexExecution,
+  regexExecution.getName()

python/ql/src/Security/CWE-776/XmlBomb.ql

@@ -19,5 +19,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "A $@ is parsed as XML without guarding against uncontrolled entity expansion.", source.getNode(),
-  "user-provided value"
+  "XML parsing depends on $@ without guarding against uncontrolled entity expansion.",
+  source.getNode(), "a user-provided value"

python/ql/src/Statements/UnreachableCode.ql

@@ -61,4 +61,4 @@ predicate reportable_unreachable(Stmt s) {
 
 from Stmt s
 where reportable_unreachable(s)
-select s, "Unreachable statement."
+select s, "This statement is unreachable."

python/ql/src/Variables/UnusedLocalVariable.ql

@@ -43,4 +43,4 @@ where
   unused_local(unused, v) and
   // If unused is part of a tuple, count it as unused if all elements of that tuple are unused.
   forall(Name el | el = unused.getParentNode().(Tuple).getAnElt() | unused_local(el, _))
-select unused, "The value assigned to local variable '" + v.getId() + "' is never used."
+select unused, "Variable " + v.getId() + " is not used"

python/ql/src/change-notes/2022-08-23-alert-messages.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The alert message of many queries have been changed to make the message consistent with other languages.

python/ql/src/change-notes/2022-08-29-missing-security-severity.md

@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* Added the `security-severity` tag the `py/redos`, `py/polynomial-redos`, and `py/regex-injection` queries.

python/ql/src/change-notes/released/0.4.2.md

@@ -1,5 +1,6 @@
----
-category: newQuery
----
+## 0.4.2
+
+### New Queries
+
 * Added a new query, `py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match 
   too many characters.

python/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.1
+lastReleaseVersion: 0.4.2

python/ql/src/experimental/Security/CWE-091/Xslt.ql

@@ -17,8 +17,8 @@ import semmle.python.web.HttpRequest
 /* Sinks */
 import experimental.semmle.python.security.injection.XSLT
 
-class XSLTInjectionConfiguration extends TaintTracking::Configuration {
-  XSLTInjectionConfiguration() { this = "XSLT injection configuration" }
+class XsltInjectionConfiguration extends TaintTracking::Configuration {
+  XsltInjectionConfiguration() { this = "XSLT injection configuration" }
 
   deprecated override predicate isSource(TaintTracking::Source source) {
     source instanceof HttpRequestTaintSource
@@ -29,7 +29,7 @@ class XSLTInjectionConfiguration extends TaintTracking::Configuration {
   }
 }
 
-from XSLTInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
+from XsltInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
 where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "This XSLT query depends on $@.", src.getSource(),
   "a user-provided value"

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -182,7 +182,10 @@ module LdapBind {
     /**
      * Holds if the binding process use SSL.
      */
-    abstract predicate useSSL();
+    abstract predicate useSsl();
+
+    /** DEPRECATED: Alias for useSsl */
+    deprecated predicate useSSL() { useSsl() }
   }
 }
 
@@ -213,7 +216,10 @@ class LdapBind extends DataFlow::Node {
   /**
    * Holds if the binding process use SSL.
    */
-  predicate useSSL() { range.useSSL() }
+  predicate useSsl() { range.useSsl() }
+
+  /** DEPRECATED: Alias for useSsl */
+  deprecated predicate useSSL() { useSsl() }
 }
 
 /** DEPRECATED: Alias for LdapBind */

python/ql/src/experimental/semmle/python/frameworks/Django.qll

@@ -22,11 +22,14 @@ private module ExperimentalPrivateDjango {
 
       module Request {
         module HttpRequest {
-          class DjangoGETParameter extends DataFlow::Node, RemoteFlowSource::Range {
-            DjangoGETParameter() { this = request().getMember("GET").getMember("get").getACall() }
+          class DjangoGetParameter extends DataFlow::Node, RemoteFlowSource::Range {
+            DjangoGetParameter() { this = request().getMember("GET").getMember("get").getACall() }
 
             override string getSourceType() { result = "django.http.request.GET.get" }
           }
+
+          /** DEPRECATED: Alias for DjangoGetParameter */
+          deprecated class DjangoGETParameter = DjangoGetParameter;
         }
       }
 

python/ql/src/experimental/semmle/python/frameworks/LDAP.qll

@@ -12,13 +12,13 @@ private import semmle.python.ApiGraphs
 /**
  * Provides models for Python's ldap-related libraries.
  */
-private module LDAP {
+private module Ldap {
   /**
    * Provides models for the `python-ldap` PyPI package (imported as `ldap`).
    *
    * See https://www.python-ldap.org/en/python-ldap-3.3.0/index.html
    */
-  private module LDAP2 {
+  private module Ldap2 {
     /** Gets a reference to the `ldap` module. */
     API::Node ldap() { result = API::moduleImport("ldap") }
 
@@ -38,8 +38,8 @@ private module LDAP {
      *
      * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#functions
      */
-    private class LDAP2QueryMethods extends string {
-      LDAP2QueryMethods() {
+    private class Ldap2QueryMethods extends string {
+      Ldap2QueryMethods() {
         this in ["search", "search_s", "search_st", "search_ext", "search_ext_s"]
       }
     }
@@ -52,7 +52,7 @@ private module LDAP {
     /** Gets a reference to a `ldap` query. */
     private DataFlow::Node ldapQuery() {
       result = ldapOperation() and
-      result.(DataFlow::AttrRead).getAttributeName() instanceof LDAP2QueryMethods
+      result.(DataFlow::AttrRead).getAttributeName() instanceof Ldap2QueryMethods
     }
 
     /**
@@ -60,8 +60,8 @@ private module LDAP {
      *
      * See `LDAP2QueryMethods`
      */
-    private class LDAP2Query extends DataFlow::CallCfgNode, LdapQuery::Range {
-      LDAP2Query() { this.getFunction() = ldapQuery() }
+    private class Ldap2Query extends DataFlow::CallCfgNode, LdapQuery::Range {
+      Ldap2Query() { this.getFunction() = ldapQuery() }
 
       override DataFlow::Node getQuery() {
         result in [this.getArg(0), this.getArg(2), this.getArgByName("filterstr")]
@@ -73,8 +73,8 @@ private module LDAP {
      *
      * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#functions
      */
-    private class LDAP2BindMethods extends string {
-      LDAP2BindMethods() {
+    private class Ldap2BindMethods extends string {
+      Ldap2BindMethods() {
         this in [
             "bind", "bind_s", "simple_bind", "simple_bind_s", "sasl_interactive_bind_s",
             "sasl_non_interactive_bind_s", "sasl_external_bind_s", "sasl_gssapi_bind_s"
@@ -85,12 +85,12 @@ private module LDAP {
     /** Gets a reference to a `ldap` bind. */
     private DataFlow::Node ldapBind() {
       result = ldapOperation() and
-      result.(DataFlow::AttrRead).getAttributeName() instanceof LDAP2BindMethods
+      result.(DataFlow::AttrRead).getAttributeName() instanceof Ldap2BindMethods
     }
 
     /**List of SSL-demanding options */
-    private class LDAPSSLOptions extends DataFlow::Node {
-      LDAPSSLOptions() {
+    private class LdapSslOptions extends DataFlow::Node {
+      LdapSslOptions() {
         this = ldap().getMember("OPT_X_TLS_" + ["DEMAND", "HARD"]).getAValueReachableFromSource()
       }
     }
@@ -100,8 +100,8 @@ private module LDAP {
      *
      * See `LDAP2BindMethods`
      */
-    private class LDAP2Bind extends DataFlow::CallCfgNode, LdapBind::Range {
-      LDAP2Bind() { this.getFunction() = ldapBind() }
+    private class Ldap2Bind extends DataFlow::CallCfgNode, LdapBind::Range {
+      Ldap2Bind() { this.getFunction() = ldapBind() }
 
       override DataFlow::Node getPassword() {
         result in [this.getArg(1), this.getArgByName("cred")]
@@ -115,20 +115,20 @@ private module LDAP {
         )
       }
 
-      override predicate useSSL() {
+      override predicate useSsl() {
         // use initialize to correlate `this` and so avoid FP in several instances
         exists(DataFlow::CallCfgNode initialize |
           // ldap.set_option(ldap.OPT_X_TLS_%s)
-          ldap().getMember("set_option").getACall().getArg(_) instanceof LDAPSSLOptions
+          ldap().getMember("set_option").getACall().getArg(_) instanceof LdapSslOptions
           or
           this.getFunction().(DataFlow::AttrRead).getObject().getALocalSource() = initialize and
           initialize = ldapInitialize().getACall() and
           (
             // ldap_connection.start_tls_s()
             // see https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap.LDAPObject.start_tls_s
-            exists(DataFlow::MethodCallNode startTLS |
-              startTLS.getObject().getALocalSource() = initialize and
-              startTLS.getMethodName() = "start_tls_s"
+            exists(DataFlow::MethodCallNode startTls |
+              startTls.getObject().getALocalSource() = initialize and
+              startTls.getMethodName() = "start_tls_s"
             )
             or
             // ldap_connection.set_option(ldap.OPT_X_TLS_%s, True)
@@ -136,7 +136,7 @@ private module LDAP {
               setOption.getFunction().(DataFlow::AttrRead).getObject().getALocalSource() =
                 initialize and
               setOption.getFunction().(DataFlow::AttrRead).getAttributeName() = "set_option" and
-              setOption.getArg(0) instanceof LDAPSSLOptions and
+              setOption.getArg(0) instanceof LdapSslOptions and
               not DataFlow::exprNode(any(False falseExpr))
                   .(DataFlow::LocalSourceNode)
                   .flowsTo(setOption.getArg(1))
@@ -144,6 +144,9 @@ private module LDAP {
           )
         )
       }
+
+      /** DEPRECATED: Alias for useSsl */
+      deprecated override predicate useSSL() { this.useSsl() }
     }
 
     /**
@@ -151,8 +154,8 @@ private module LDAP {
      *
      * See https://github.com/python-ldap/python-ldap/blob/7ce471e238cdd9a4dd8d17baccd1c9e05e6f894a/Lib/ldap/dn.py#L17
      */
-    private class LDAP2EscapeDNCall extends DataFlow::CallCfgNode, LdapEscape::Range {
-      LDAP2EscapeDNCall() { this = ldap().getMember("dn").getMember("escape_dn_chars").getACall() }
+    private class Ldap2EscapeDNCall extends DataFlow::CallCfgNode, LdapEscape::Range {
+      Ldap2EscapeDNCall() { this = ldap().getMember("dn").getMember("escape_dn_chars").getACall() }
 
       override DataFlow::Node getAnInput() { result = this.getArg(0) }
     }
@@ -162,8 +165,8 @@ private module LDAP {
      *
      * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap-filter.html#ldap.filter.escape_filter_chars
      */
-    private class LDAP2EscapeFilterCall extends DataFlow::CallCfgNode, LdapEscape::Range {
-      LDAP2EscapeFilterCall() {
+    private class Ldap2EscapeFilterCall extends DataFlow::CallCfgNode, LdapEscape::Range {
+      Ldap2EscapeFilterCall() {
         this = ldap().getMember("filter").getMember("escape_filter_chars").getACall()
       }
 
@@ -176,7 +179,7 @@ private module LDAP {
    *
    * See https://pypi.org/project/ldap3/
    */
-  private module LDAP3 {
+  private module Ldap3 {
     /** Gets a reference to the `ldap3` module. */
     API::Node ldap3() { result = API::moduleImport("ldap3") }
 
@@ -192,8 +195,8 @@ private module LDAP {
     /**
      * A class to find `ldap3` methods executing a query.
      */
-    private class LDAP3Query extends DataFlow::CallCfgNode, LdapQuery::Range {
-      LDAP3Query() {
+    private class Ldap3Query extends DataFlow::CallCfgNode, LdapQuery::Range {
+      Ldap3Query() {
         this.getFunction().(DataFlow::AttrRead).getObject().getALocalSource() =
           ldap3Connection().getACall() and
         this.getFunction().(DataFlow::AttrRead).getAttributeName() = "search"
@@ -205,8 +208,8 @@ private module LDAP {
     /**
      * A class to find `ldap3` methods binding a connection.
      */
-    class LDAP3Bind extends DataFlow::CallCfgNode, LdapBind::Range {
-      LDAP3Bind() { this = ldap3Connection().getACall() }
+    class Ldap3Bind extends DataFlow::CallCfgNode, LdapBind::Range {
+      Ldap3Bind() { this = ldap3Connection().getACall() }
 
       override DataFlow::Node getPassword() {
         result in [this.getArg(2), this.getArgByName("password")]
@@ -220,7 +223,7 @@ private module LDAP {
         )
       }
 
-      override predicate useSSL() {
+      override predicate useSsl() {
         exists(DataFlow::CallCfgNode serverCall |
           serverCall = ldap3Server().getACall() and
           this.getArg(0).getALocalSource() = serverCall and
@@ -231,11 +234,14 @@ private module LDAP {
         or
         // ldap_connection.start_tls_s()
         // see https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap.LDAPObject.start_tls_s
-        exists(DataFlow::MethodCallNode startTLS |
-          startTLS.getMethodName() = "start_tls_s" and
-          startTLS.getObject().getALocalSource() = this
+        exists(DataFlow::MethodCallNode startTls |
+          startTls.getMethodName() = "start_tls_s" and
+          startTls.getObject().getALocalSource() = this
         )
       }
+
+      /** DEPRECATED: Alias for useSsl */
+      deprecated override predicate useSSL() { this.useSsl() }
     }
 
     /**
@@ -243,8 +249,8 @@ private module LDAP {
      *
      * See https://github.com/cannatag/ldap3/blob/4d33166f0869b929f59c6e6825a1b9505eb99967/ldap3/utils/dn.py#L390
      */
-    private class LDAP3EscapeDNCall extends DataFlow::CallCfgNode, LdapEscape::Range {
-      LDAP3EscapeDNCall() { this = ldap3Utils().getMember("dn").getMember("escape_rdn").getACall() }
+    private class Ldap3EscapeDNCall extends DataFlow::CallCfgNode, LdapEscape::Range {
+      Ldap3EscapeDNCall() { this = ldap3Utils().getMember("dn").getMember("escape_rdn").getACall() }
 
       override DataFlow::Node getAnInput() { result = this.getArg(0) }
     }
@@ -254,8 +260,8 @@ private module LDAP {
      *
      * See https://github.com/cannatag/ldap3/blob/4d33166f0869b929f59c6e6825a1b9505eb99967/ldap3/utils/conv.py#L91
      */
-    private class LDAP3EscapeFilterCall extends DataFlow::CallCfgNode, LdapEscape::Range {
-      LDAP3EscapeFilterCall() {
+    private class Ldap3EscapeFilterCall extends DataFlow::CallCfgNode, LdapEscape::Range {
+      Ldap3EscapeFilterCall() {
         this = ldap3Utils().getMember("conv").getMember("escape_filter_chars").getACall()
       }
 

python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll

@@ -31,8 +31,8 @@ module SmtpLib {
    * argument. Used because of the impossibility to get local source nodes from `_subparts`'
    * `(List|Tuple)` elements.
    */
-  private class SMTPMessageConfig extends TaintTracking2::Configuration {
-    SMTPMessageConfig() { this = "SMTPMessageConfig" }
+  private class SmtpMessageConfig extends TaintTracking2::Configuration {
+    SmtpMessageConfig() { this = "SMTPMessageConfig" }
 
     override predicate isSource(DataFlow::Node source) { source = mimeText(_) }
 
@@ -87,7 +87,7 @@ module SmtpLib {
         sink =
           [sendCall.getArg(2), sendCall.getArg(2).(DataFlow::MethodCallNode).getObject()]
               .getALocalSource() and
-        any(SMTPMessageConfig a)
+        any(SmtpMessageConfig a)
             .hasFlow(source, sink.(DataFlow::CallCfgNode).getArgByName("_subparts"))
         or
         // via .attach()
@@ -117,7 +117,7 @@ module SmtpLib {
    * * `sub` would be `message["Subject"]` (`Subscript`)
    * * `result` would be `"multipart test"`
    */
-  private DataFlow::Node getSMTPSubscriptByIndex(DataFlow::CallCfgNode sendCall, string index) {
+  private DataFlow::Node getSmtpSubscriptByIndex(DataFlow::CallCfgNode sendCall, string index) {
     exists(DefinitionNode def, Subscript sub |
       sub = def.getNode() and
       DataFlow::exprNode(sub.getObject()).getALocalSource() =
@@ -163,15 +163,15 @@ module SmtpLib {
     override DataFlow::Node getHtmlBody() { result = getSmtpMessage(this, "html") }
 
     override DataFlow::Node getTo() {
-      result in [this.getArg(1), getSMTPSubscriptByIndex(this, "To")]
+      result in [this.getArg(1), getSmtpSubscriptByIndex(this, "To")]
     }
 
     override DataFlow::Node getFrom() {
-      result in [this.getArg(0), getSMTPSubscriptByIndex(this, "From")]
+      result in [this.getArg(0), getSmtpSubscriptByIndex(this, "From")]
     }
 
     override DataFlow::Node getSubject() {
-      result in [this.getArg(2), getSMTPSubscriptByIndex(this, "Subject")]
+      result in [this.getArg(2), getSmtpSubscriptByIndex(this, "Subject")]
     }
   }
 }

python/ql/src/experimental/semmle/python/security/LDAPInsecureAuth.qll

@@ -122,7 +122,7 @@ class LdapInsecureAuthConfig extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(LdapBind ldapBind | not ldapBind.useSSL() and sink = ldapBind.getHost())
+    exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost())
   }
 }
 

python/ql/src/experimental/semmle/python/security/injection/XSLT.qll

@@ -11,12 +11,15 @@ import semmle.python.dataflow.TaintTracking
 import semmle.python.web.HttpRequest
 
 /** Models XSLT Injection related classes and functions */
-module XSLTInjection {
+module XsltInjection {
   /** Returns a class value which refers to `lxml.etree` */
   Value etree() { result = Value::named("lxml.etree") }
 
   /** A generic taint sink that is vulnerable to XSLT injection. */
-  abstract class XSLTInjectionSink extends TaintSink { }
+  abstract class XsltInjectionSink extends TaintSink { }
+
+  /** DEPRECATED: Alias for XsltInjectionSink */
+  deprecated class XSLTInjectionSink = XsltInjectionSink;
 
   /**
    * A kind of "taint", representing an untrusted XML string
@@ -73,10 +76,10 @@ module XSLTInjection {
    *    root = etree.XML("<xmlContent>")
    *    find_text = etree.XSLT("`sink`")
    */
-  private class EtreeXSLTArgument extends XSLTInjectionSink {
+  private class EtreeXsltArgument extends XsltInjectionSink {
     override string toString() { result = "lxml.etree.XSLT" }
 
-    EtreeXSLTArgument() {
+    EtreeXsltArgument() {
       exists(CallNode call | call.getFunction().(AttrNode).getObject("XSLT").pointsTo(etree()) |
         call.getArg(0) = this
       )
@@ -94,10 +97,10 @@ module XSLTInjection {
    *    tree = etree.parse(f)
    *    result_tree = tree.xslt(`sink`)
    */
-  private class ParseXSLTArgument extends XSLTInjectionSink {
+  private class ParseXsltArgument extends XsltInjectionSink {
     override string toString() { result = "lxml.etree.parse.xslt" }
 
-    ParseXSLTArgument() {
+    ParseXsltArgument() {
       exists(
         CallNode parseCall, CallNode xsltCall, ControlFlowNode obj, Variable var, AssignStmt assign
       |
@@ -113,3 +116,6 @@ module XSLTInjection {
     override predicate sinks(TaintKind kind) { kind instanceof ExternalXmlKind }
   }
 }
+
+/** DEPRECATED: Alias for XsltInjection */
+deprecated module XSLTInjection = XsltInjection;

python/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 0.4.2-dev
+version: 0.4.3-dev
 groups: 
   - python
   - queries