Java: Deprecate the content of ExternallyControlledFormatStringLocalQuery and remove the externally controlled format string local query variant.

2026-04-26 17:25:19 +02:00 · 2024-04-30 14:40:24 +02:00
parent 85a4dd0325
commit acd0fa4b7b
7 changed files with 26 additions and 53 deletions
--- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll
@@ -5,7 +5,7 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.StringFormat

 /** A taint-tracking configuration to reason about externally-controlled format strings from local sources. */
-module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
+deprecated module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) {
@@ -18,7 +18,9 @@ module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSi
 }

 /**
+ * DEPRECATED: Use `ExternallyControlledFormatStringFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for externally-controlled format strings from local sources.
 */
-module ExternallyControlledFormatStringLocalFlow =
+deprecated module ExternallyControlledFormatStringLocalFlow =
  TaintTracking::Global<ExternallyControlledFormatStringLocalConfig>;
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="ExternallyControlledFormatString.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
@@ -1,25 +0,0 @@
-/**
- * @name Use of externally-controlled format string from local source
- * @description Using external input in format strings can lead to exceptions or information leaks.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 9.3
- * @precision medium
- * @id java/tainted-format-string-local
- * @tags security
- *       external/cwe/cwe-134
- */
-
-import java
-import semmle.code.java.StringFormat
-import semmle.code.java.security.ExternallyControlledFormatStringLocalQuery
-import ExternallyControlledFormatStringLocalFlow::PathGraph
-
-from
-  ExternallyControlledFormatStringLocalFlow::PathNode source,
-  ExternallyControlledFormatStringLocalFlow::PathNode sink, StringFormat formatCall
-where
-  ExternallyControlledFormatStringLocalFlow::flowPath(source, sink) and
-  sink.getNode().asExpr() = formatCall.getFormatArgument()
-select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
-  source.getNode(), "user-provided value"
--- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.expected
+++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.expected
@@ -1,12 +1,28 @@
 edges
+| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:19:19:19:30 | userProperty | provenance | Src:MaD:43040  |
+| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:21:23:21:34 | userProperty | provenance | Src:MaD:43040  Sink:MaD:42905 |
+| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:23:23:23:34 | userProperty | provenance | Src:MaD:43040  Sink:MaD:42908 |
+| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:25:28:25:39 | userProperty | provenance | Src:MaD:43040  |
+| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:27:44:27:55 | userProperty | provenance | Src:MaD:43040  |
 | Test.java:33:30:33:74 | getParameter(...) : String | Test.java:34:20:34:32 | userParameter : String | provenance | Src:MaD:44662  |
 | Test.java:34:20:34:32 | userParameter : String | Test.java:37:31:37:43 | format : String | provenance |  |
 | Test.java:37:31:37:43 | format : String | Test.java:39:25:39:30 | format | provenance |  Sink:MaD:42905 |
 nodes
+| Test.java:17:27:17:60 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:19:19:19:30 | userProperty | semmle.label | userProperty |
+| Test.java:21:23:21:34 | userProperty | semmle.label | userProperty |
+| Test.java:23:23:23:34 | userProperty | semmle.label | userProperty |
+| Test.java:25:28:25:39 | userProperty | semmle.label | userProperty |
+| Test.java:27:44:27:55 | userProperty | semmle.label | userProperty |
 | Test.java:33:30:33:74 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | Test.java:34:20:34:32 | userParameter : String | semmle.label | userParameter : String |
 | Test.java:37:31:37:43 | format : String | semmle.label | format : String |
 | Test.java:39:25:39:30 | format | semmle.label | format |
 subpaths
 #select
+| Test.java:19:19:19:30 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:19:19:19:30 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
+| Test.java:21:23:21:34 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:21:23:21:34 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
+| Test.java:23:23:23:34 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:23:23:23:34 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
+| Test.java:25:28:25:39 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:25:28:25:39 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
+| Test.java:27:44:27:55 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:27:44:27:55 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
 | Test.java:39:25:39:30 | format | Test.java:33:30:33:74 | getParameter(...) : String | Test.java:39:25:39:30 | format | Format string depends on a $@. | Test.java:33:30:33:74 | getParameter(...) | user-provided value |
--- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.ext.yml
+++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatStringLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatStringLocal.expected
@@ -1,20 +0,0 @@
-edges
-| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:19:19:19:30 | userProperty | provenance | Src:MaD:43040  |
-| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:21:23:21:34 | userProperty | provenance | Src:MaD:43040  Sink:MaD:42905 |
-| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:23:23:23:34 | userProperty | provenance | Src:MaD:43040  Sink:MaD:42908 |
-| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:25:28:25:39 | userProperty | provenance | Src:MaD:43040  |
-| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:27:44:27:55 | userProperty | provenance | Src:MaD:43040  |
-nodes
-| Test.java:17:27:17:60 | getProperty(...) : String | semmle.label | getProperty(...) : String |
-| Test.java:19:19:19:30 | userProperty | semmle.label | userProperty |
-| Test.java:21:23:21:34 | userProperty | semmle.label | userProperty |
-| Test.java:23:23:23:34 | userProperty | semmle.label | userProperty |
-| Test.java:25:28:25:39 | userProperty | semmle.label | userProperty |
-| Test.java:27:44:27:55 | userProperty | semmle.label | userProperty |
-subpaths
-#select
-| Test.java:19:19:19:30 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:19:19:19:30 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
-| Test.java:21:23:21:34 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:21:23:21:34 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
-| Test.java:23:23:23:34 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:23:23:23:34 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
-| Test.java:25:28:25:39 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:25:28:25:39 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
-| Test.java:27:44:27:55 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:27:44:27:55 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
--- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatStringLocal.qlref
+++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatStringLocal.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql`