JS: Deprecate AdditionalTaintStep

2026-04-29 18:55:14 +02:00 · 2021-03-16 11:44:45 +00:00
parent 332ee40984
commit c0b5a9ad0c
2 changed files with 14 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -338,7 +338,7 @@ module TaintTracking {
     */
    cached
    predicate legacyAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-      any(AdditionalTaintStep step).step(pred, succ)
+      any(InternalAdditionalTaintStep step).step(pred, succ)
    }

    /**
@@ -469,6 +469,12 @@ module TaintTracking {
  }

  /**
+   * DEPRECATED. Subclasses should extend `SharedTaintStep` instead, unless the subclass
+   * is part of a query, in which case it should be moved into the `isAdditionalTaintStep` predicate
+   * of the relevant taint-tracking configuration.
+   * Other uses of the `step` relation in this class should instead use the `TaintTracking::sharedTaintStep`
+   * predicate.
+   *
   * A taint-propagating data flow edge that should be added to all taint tracking
   * configurations in addition to standard data flow edges.
   *
@@ -476,7 +482,10 @@ module TaintTracking {
   * of the standard library. Override `Configuration::isAdditionalTaintStep`
   * for analysis-specific taint steps.
   */
-  abstract class AdditionalTaintStep extends DataFlow::Node {
+  deprecated class AdditionalTaintStep = InternalAdditionalTaintStep;
+
+  /** Internal version of `AdditionalTaintStep` that won't trigger deprecation warnings. */
+  abstract private class InternalAdditionalTaintStep extends DataFlow::Node {
    /**
     * Holds if `pred` &rarr; `succ` should be considered a taint-propagating
     * data flow edge.
--- a/javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll
@@ -9,8 +9,9 @@ import javascript
 *
 * A taint propagating data flow edge arising from an operation in a URI library.
 */
-abstract deprecated class UriLibraryStep extends DataFlow::ValueNode,
-  TaintTracking::AdditionalTaintStep { }
+abstract deprecated class UriLibraryStep extends DataFlow::ValueNode {
+  predicate step(DataFlow::Node pred, DataFlow::Node succ) { none() }
+}

 /**
 * Provides classes for working with [urijs](http://medialize.github.io/URI.js/) code.