From b68abab12a6d66a58596ec45ad611e638cff59a4 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Wed, 1 May 2024 10:14:23 +0200
Subject: [PATCH] Java: Deprecate the content of ResponseSplittingLocalQuery
 and remove local query variant.

---
 .../security/ResponseSplittingLocalQuery.qll  |  6 +++--
 .../CWE/CWE-113/ResponseSplittingLocal.qhelp  |  5 -----
 .../CWE/CWE-113/ResponseSplittingLocal.ql     | 22 -------------------
 3 files changed, 4 insertions(+), 29 deletions(-)
 delete mode 100644 java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.qhelp
 delete mode 100644 java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql

diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll
index 23816caa1f8..e5845b630ec 100644
--- a/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll
@@ -7,7 +7,7 @@ private import semmle.code.java.security.ResponseSplitting
 /**
  * A taint-tracking configuration to reason about response splitting vulnerabilities from local user input.
  */
-module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
+deprecated module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
@@ -32,6 +32,8 @@ module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `ResponseSplittingFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for response splitting vulnerabilities from local user input.
  */
-module ResponseSplittingLocalFlow = TaintTracking::Global<ResponseSplittingLocalConfig>;
+deprecated module ResponseSplittingLocalFlow = TaintTracking::Global<ResponseSplittingLocalConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.qhelp b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.qhelp
deleted file mode 100644
index 17afa6275fc..00000000000
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.qhelp
+++ /dev/null
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="ResponseSplitting.qhelp" /></qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
deleted file mode 100644
index 804ead11a35..00000000000
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
+++ /dev/null
@@ -1,22 +0,0 @@
-/**
- * @name HTTP response splitting from local source
- * @description Writing user input directly to an HTTP header
- *              makes code vulnerable to attack by header splitting.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 6.1
- * @precision medium
- * @id java/http-response-splitting-local
- * @tags security
- *       external/cwe/cwe-113
- */
-
-import java
-import semmle.code.java.security.ResponseSplittingLocalQuery
-import ResponseSplittingLocalFlow::PathGraph
-
-from ResponseSplittingLocalFlow::PathNode source, ResponseSplittingLocalFlow::PathNode sink
-where ResponseSplittingLocalFlow::flowPath(source, sink)
-select sink.getNode(), source, sink,
-  "This header depends on a $@, which may cause a response-splitting vulnerability.",
-  source.getNode(), "user-provided value"