deprecate SqlConstruction

2026-05-02 12:15:17 +02:00 · 2022-05-01 17:57:48 +02:00
parent 6c67e51ec3
commit c0eca0d09a
15 changed files with 49 additions and 85 deletions
--- a/python/ql/lib/change-notes/2022-05-02-deprecate-sqlconstruction.md
+++ b/python/ql/lib/change-notes/2022-05-02-deprecate-sqlconstruction.md
@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+The `SqlConstruction` class and module from `Concepts.qll` has been deprecated. Use `SqlExecution` from the same file instead.
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -308,36 +308,19 @@ module CodeExecution {
  }
 }

-/**
- * A data-flow node that constructs an SQL statement.
- *
- * Often, it is worthy of an alert if an SQL statement is constructed such that
- * executing it would be a security risk.
- *
- * If it is important that the SQL statement is indeed executed, then use `SQLExecution`.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `SqlConstruction::Range` instead.
- */
-class SqlConstruction extends DataFlow::Node instanceof SqlConstruction::Range {
+/** DEPRECATED: Use `SqlExecution` instead. */
+deprecated class SqlConstruction extends DataFlow::Node instanceof SqlConstruction::Range {
  /** Gets the argument that specifies the SQL statements to be constructed. */
  DataFlow::Node getSql() { result = super.getSql() }
 }

-/** Provides a class for modeling new SQL execution APIs. */
-module SqlConstruction {
-  /**
-   * A data-flow node that constructs an SQL statement.
-   *
-   * Often, it is worthy of an alert if an SQL statement is constructed such that
-   * executing it would be a security risk.
-   *
-   * If it is important that the SQL statement is indeed executed, then use `SQLExecution`.
-   *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `SqlConstruction` instead.
-   */
-  abstract class Range extends DataFlow::Node {
+/**
+ * DEPRECATED: Use `SqlExecution` instead.
+ * Provides a class for modeling new SQL execution APIs.
+ */
+deprecated module SqlConstruction {
+  /** DEPRECATED: Use `SqlExecution::Range` instead. */
+  abstract deprecated class Range extends DataFlow::Node {
    /** Gets the argument that specifies the SQL statements to be constructed. */
    abstract DataFlow::Node getSql();
  }
@@ -346,9 +329,6 @@ module SqlConstruction {
 /**
 * A data-flow node that executes SQL statements.
 *
- * If the context of interest is such that merely constructing an SQL statement
- * would be valuabe to report, then consider using `SqlConstruction`.
- *
 * Extend this class to refine existing API models. If you want to model new APIs,
 * extend `SqlExecution::Range` instead.
 */
@@ -362,9 +342,6 @@ module SqlExecution {
  /**
   * A data-flow node that executes SQL statements.
   *
-   * If the context of interest is such that merely constructing an SQL statement
-   * would be valuabe to report, then consider using `SqlConstruction`.
-   *
   * Extend this class to model new APIs. If you want to refine existing API models,
   * extend `SqlExecution` instead.
   */
--- a/python/ql/lib/semmle/python/frameworks/Aiomysql.qll
+++ b/python/ql/lib/semmle/python/frameworks/Aiomysql.qll
@@ -50,7 +50,7 @@ private module Aiomysql {
   * A query. Calling `execute` on a `Cursor` constructs a query.
   * See https://aiomysql.readthedocs.io/en/stable/cursors.html#Cursor.execute
   */
-  class CursorExecuteCall extends SqlConstruction::Range, API::CallNode {
+  class CursorExecuteCall extends SqlExecution::Range, API::CallNode {
    CursorExecuteCall() { this = cursor().getMember("execute").getACall() }

    override DataFlow::Node getSql() { result = this.getParameter(0, "operation").getARhs() }
@@ -91,7 +91,7 @@ private module Aiomysql {
   * A query. Calling `execute` on a `SAConnection` constructs a query.
   * See https://aiomysql.readthedocs.io/en/stable/sa.html#aiomysql.sa.SAConnection.execute
   */
-  class SAConnectionExecuteCall extends SqlConstruction::Range, API::CallNode {
+  class SAConnectionExecuteCall extends SqlExecution::Range, API::CallNode {
    SAConnectionExecuteCall() { this = saConnection().getMember("execute").getACall() }

    override DataFlow::Node getSql() { result = this.getParameter(0, "query").getARhs() }
--- a/python/ql/lib/semmle/python/frameworks/Aiopg.qll
+++ b/python/ql/lib/semmle/python/frameworks/Aiopg.qll
@@ -50,7 +50,7 @@ private module Aiopg {
   * A query. Calling `execute` on a `Cursor` constructs a query.
   * See https://aiopg.readthedocs.io/en/stable/core.html#aiopg.Cursor.execute
   */
-  class CursorExecuteCall extends SqlConstruction::Range, API::CallNode {
+  class CursorExecuteCall extends SqlExecution::Range, API::CallNode {
    CursorExecuteCall() { this = cursor().getMember("execute").getACall() }

    override DataFlow::Node getSql() { result = this.getParameter(0, "operation").getARhs() }
@@ -87,7 +87,7 @@ private module Aiopg {
   * A query. Calling `execute` on a `SAConnection` constructs a query.
   * See https://aiopg.readthedocs.io/en/stable/sa.html#aiopg.sa.SAConnection.execute
   */
-  class SAConnectionExecuteCall extends SqlConstruction::Range, API::CallNode {
+  class SAConnectionExecuteCall extends SqlExecution::Range, API::CallNode {
    SAConnectionExecuteCall() { this = saConnection().getMember("execute").getACall() }

    override DataFlow::Node getSql() { result = this.getParameter(0, "query").getARhs() }
--- a/python/ql/lib/semmle/python/frameworks/Asyncpg.qll
+++ b/python/ql/lib/semmle/python/frameworks/Asyncpg.qll
@@ -56,7 +56,7 @@ private module Asyncpg {
   * The creation of the `Cursor` executes the query.
   */
  module Cursor {
-    class CursorConstruction extends SqlConstruction::Range, API::CallNode {
+    class CursorConstruction extends SqlExecution::Range, API::CallNode {
      CursorConstruction() {
        this = ModelOutput::getATypeNode("asyncpg", "Connection").getMember("cursor").getACall()
      }
--- a/python/ql/lib/semmle/python/frameworks/SqlAlchemy.qll
+++ b/python/ql/lib/semmle/python/frameworks/SqlAlchemy.qll
@@ -323,7 +323,7 @@ module SqlAlchemy {
     * A construction of a `sqlalchemy.sql.expression.TextClause`, which represents a
     * textual SQL string directly.
     */
-    abstract class TextClauseConstruction extends SqlConstruction::Range, DataFlow::CallCfgNode {
+    abstract class TextClauseConstruction extends SqlExecution::Range, DataFlow::CallCfgNode {
      /** Gets the argument that specifies the SQL text. */
      override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("text")] }
    }
--- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
@@ -43,9 +43,10 @@ module SqlInjection {
  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }

  /**
+   * DEPRECATED: Use `SqlExecutionAsSink` instead.
   * A SQL statement of a SQL construction, considered as a flow sink.
   */
-  class SqlConstructionAsSink extends Sink {
+  deprecated class SqlConstructionAsSink extends Sink {
    SqlConstructionAsSink() { this = any(SqlConstruction c).getSql() }
  }