Update instances of experimental concept to the main one, and anotate missing experimental test results.

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -216,47 +216,6 @@ class SqlEscape extends DataFlow::Node instanceof SqlEscape::Range {
   DataFlow::Node getAnInput() { result = super.getAnInput() }
 }
 
-/** Provides classes for modeling HTTP Header APIs. */
-module HeaderDeclaration {
-  /**
-   * A data-flow node that collects functions setting HTTP Headers.
-   *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `HeaderDeclaration` instead.
-   */
-  abstract class Range extends DataFlow::Node {
-    /**
-     * Gets the argument containing the header name.
-     */
-    abstract DataFlow::Node getNameArg();
-
-    /**
-     * Gets the argument containing the header value.
-     */
-    abstract DataFlow::Node getValueArg();
-  }
-}
-
-/**
- * A data-flow node that collects functions setting HTTP Headers.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `HeaderDeclaration::Range` instead.
- *
- * Exists as `Http::Server::ResponseHeaderWrite` in the main concepts library.
- */
-class HeaderDeclaration extends DataFlow::Node instanceof HeaderDeclaration::Range {
-  /**
-   * Gets the argument containing the header name.
-   */
-  DataFlow::Node getNameArg() { result = super.getNameArg() }
-
-  /**
-   * Gets the argument containing the header value.
-   */
-  DataFlow::Node getValueArg() { result = super.getValueArg() }
-}
-
 /** Provides classes for modeling Csv writer APIs. */
 module CsvWriter {
   /**

python/ql/src/experimental/semmle/python/CookieHeader.qll

@@ -6,6 +6,7 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import experimental.semmle.python.Concepts
+import semmle.python.Concepts
 
 /**
  * Gets a header setting a cookie.
@@ -26,13 +27,13 @@ import experimental.semmle.python.Concepts
  * * `isSameSite()` predicate would fail.
  * * `getName()` and `getValue()` results would be `"name=value; Secure;"`.
  */
-class CookieHeader extends Cookie::Range instanceof HeaderDeclaration {
+class CookieHeader extends Cookie::Range instanceof Http::Server::ResponseHeaderWrite {
   CookieHeader() {
     exists(StringLiteral str |
       str.getText() = "Set-Cookie" and
       DataFlow::exprNode(str)
           .(DataFlow::LocalSourceNode)
-          .flowsTo(this.(HeaderDeclaration).getNameArg())
+          .flowsTo(this.(Http::Server::ResponseHeaderWrite).getNameArg())
     )
   }
 
@@ -41,7 +42,7 @@ class CookieHeader extends Cookie::Range instanceof HeaderDeclaration {
       str.getText().regexpMatch(".*; *Secure;.*") and
       DataFlow::exprNode(str)
           .(DataFlow::LocalSourceNode)
-          .flowsTo(this.(HeaderDeclaration).getValueArg())
+          .flowsTo(this.(Http::Server::ResponseHeaderWrite).getValueArg())
     )
   }
 
@@ -50,7 +51,7 @@ class CookieHeader extends Cookie::Range instanceof HeaderDeclaration {
       str.getText().regexpMatch(".*; *HttpOnly;.*") and
       DataFlow::exprNode(str)
           .(DataFlow::LocalSourceNode)
-          .flowsTo(this.(HeaderDeclaration).getValueArg())
+          .flowsTo(this.(Http::Server::ResponseHeaderWrite).getValueArg())
     )
   }
 
@@ -59,13 +60,17 @@ class CookieHeader extends Cookie::Range instanceof HeaderDeclaration {
       str.getText().regexpMatch(".*; *SameSite=(Strict|Lax);.*") and
       DataFlow::exprNode(str)
           .(DataFlow::LocalSourceNode)
-          .flowsTo(this.(HeaderDeclaration).getValueArg())
+          .flowsTo(this.(Http::Server::ResponseHeaderWrite).getValueArg())
     )
   }
 
-  override DataFlow::Node getNameArg() { result = this.(HeaderDeclaration).getValueArg() }
+  override DataFlow::Node getNameArg() {
+    result = this.(Http::Server::ResponseHeaderWrite).getValueArg()
+  }
 
-  override DataFlow::Node getValueArg() { result = this.(HeaderDeclaration).getValueArg() }
+  override DataFlow::Node getValueArg() {
+    result = this.(Http::Server::ResponseHeaderWrite).getValueArg()
+  }
 
   override DataFlow::Node getHeaderArg() { none() }
 }

python/ql/test/experimental/query-tests/Security/CWE-113/HeaderInjection.expected

@@ -1,47 +0,0 @@
-edges
-| django_bad.py:5:5:5:14 | ControlFlowNode for rfs_header | django_bad.py:7:40:7:49 | ControlFlowNode for rfs_header | provenance |  |
-| django_bad.py:5:18:5:58 | ControlFlowNode for Attribute() | django_bad.py:5:5:5:14 | ControlFlowNode for rfs_header | provenance |  |
-| django_bad.py:12:5:12:14 | ControlFlowNode for rfs_header | django_bad.py:14:30:14:39 | ControlFlowNode for rfs_header | provenance |  |
-| django_bad.py:12:18:12:58 | ControlFlowNode for Attribute() | django_bad.py:12:5:12:14 | ControlFlowNode for rfs_header | provenance |  |
-| flask_bad.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_bad.py:1:29:1:35 | ControlFlowNode for request | provenance |  |
-| flask_bad.py:1:29:1:35 | ControlFlowNode for request | flask_bad.py:9:18:9:24 | ControlFlowNode for request | provenance |  |
-| flask_bad.py:1:29:1:35 | ControlFlowNode for request | flask_bad.py:19:18:19:24 | ControlFlowNode for request | provenance |  |
-| flask_bad.py:1:29:1:35 | ControlFlowNode for request | flask_bad.py:27:18:27:24 | ControlFlowNode for request | provenance |  |
-| flask_bad.py:1:29:1:35 | ControlFlowNode for request | flask_bad.py:35:18:35:24 | ControlFlowNode for request | provenance |  |
-| flask_bad.py:9:5:9:14 | ControlFlowNode for rfs_header | flask_bad.py:12:31:12:40 | ControlFlowNode for rfs_header | provenance |  |
-| flask_bad.py:9:18:9:24 | ControlFlowNode for request | flask_bad.py:9:5:9:14 | ControlFlowNode for rfs_header | provenance | AdditionalTaintStep |
-| flask_bad.py:19:5:19:14 | ControlFlowNode for rfs_header | flask_bad.py:21:38:21:47 | ControlFlowNode for rfs_header | provenance |  |
-| flask_bad.py:19:18:19:24 | ControlFlowNode for request | flask_bad.py:19:5:19:14 | ControlFlowNode for rfs_header | provenance | AdditionalTaintStep |
-| flask_bad.py:27:5:27:14 | ControlFlowNode for rfs_header | flask_bad.py:29:34:29:43 | ControlFlowNode for rfs_header | provenance |  |
-| flask_bad.py:27:18:27:24 | ControlFlowNode for request | flask_bad.py:27:5:27:14 | ControlFlowNode for rfs_header | provenance | AdditionalTaintStep |
-| flask_bad.py:35:5:35:14 | ControlFlowNode for rfs_header | flask_bad.py:38:24:38:33 | ControlFlowNode for rfs_header | provenance |  |
-| flask_bad.py:35:18:35:24 | ControlFlowNode for request | flask_bad.py:35:5:35:14 | ControlFlowNode for rfs_header | provenance | AdditionalTaintStep |
-nodes
-| django_bad.py:5:5:5:14 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| django_bad.py:5:18:5:58 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| django_bad.py:7:40:7:49 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| django_bad.py:12:5:12:14 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| django_bad.py:12:18:12:58 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| django_bad.py:14:30:14:39 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| flask_bad.py:1:29:1:35 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
-| flask_bad.py:1:29:1:35 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| flask_bad.py:9:5:9:14 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| flask_bad.py:9:18:9:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| flask_bad.py:12:31:12:40 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| flask_bad.py:19:5:19:14 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| flask_bad.py:19:18:19:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| flask_bad.py:21:38:21:47 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| flask_bad.py:27:5:27:14 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| flask_bad.py:27:18:27:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| flask_bad.py:29:34:29:43 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| flask_bad.py:35:5:35:14 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-| flask_bad.py:35:18:35:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| flask_bad.py:38:24:38:33 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
-subpaths
-#select
-| django_bad.py:7:40:7:49 | ControlFlowNode for rfs_header | django_bad.py:5:18:5:58 | ControlFlowNode for Attribute() | django_bad.py:7:40:7:49 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | django_bad.py:5:18:5:58 | ControlFlowNode for Attribute() | user-provided value |
-| django_bad.py:14:30:14:39 | ControlFlowNode for rfs_header | django_bad.py:12:18:12:58 | ControlFlowNode for Attribute() | django_bad.py:14:30:14:39 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | django_bad.py:12:18:12:58 | ControlFlowNode for Attribute() | user-provided value |
-| flask_bad.py:12:31:12:40 | ControlFlowNode for rfs_header | flask_bad.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_bad.py:12:31:12:40 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | flask_bad.py:1:29:1:35 | ControlFlowNode for ImportMember | user-provided value |
-| flask_bad.py:21:38:21:47 | ControlFlowNode for rfs_header | flask_bad.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_bad.py:21:38:21:47 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | flask_bad.py:1:29:1:35 | ControlFlowNode for ImportMember | user-provided value |
-| flask_bad.py:29:34:29:43 | ControlFlowNode for rfs_header | flask_bad.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_bad.py:29:34:29:43 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | flask_bad.py:1:29:1:35 | ControlFlowNode for ImportMember | user-provided value |
-| flask_bad.py:38:24:38:33 | ControlFlowNode for rfs_header | flask_bad.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_bad.py:38:24:38:33 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | flask_bad.py:1:29:1:35 | ControlFlowNode for ImportMember | user-provided value |

python/ql/test/experimental/query-tests/Security/CWE-113/HeaderInjection.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE-113/HeaderInjection.ql

python/ql/test/experimental/query-tests/Security/CWE-113/django_bad.py

@@ -1,15 +0,0 @@
-import django.http
-
-
-def django_setitem():
-    rfs_header = django.http.request.GET.get("rfs_header")
-    response = django.http.HttpResponse()
-    response.__setitem__('HeaderName', rfs_header)
-    return response
-
-
-def django_response():
-    rfs_header = django.http.request.GET.get("rfs_header")
-    response = django.http.HttpResponse()
-    response['HeaderName'] = rfs_header
-    return response

python/ql/test/experimental/query-tests/Security/CWE-614/CookieInjection.expected

@@ -1,6 +1,4 @@
 edges
-| django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | provenance |  |
-| django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | provenance |  |
 | flask_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_bad.py:1:26:1:32 | ControlFlowNode for request | provenance |  |
 | flask_bad.py:1:26:1:32 | ControlFlowNode for request | flask_bad.py:24:21:24:27 | ControlFlowNode for request | provenance |  |
 | flask_bad.py:1:26:1:32 | ControlFlowNode for request | flask_bad.py:24:49:24:55 | ControlFlowNode for request | provenance |  |
@@ -14,9 +12,6 @@ edges
 nodes
 | django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring |
-| django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | flask_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
 | flask_bad.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | flask_bad.py:24:21:24:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
@@ -34,12 +29,6 @@ subpaths
 | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | Cookie is constructed from a $@,and its httponly flag is not properly set. | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | user-supplied input |
 | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | Cookie is constructed from a $@,and its samesite flag is not properly set. | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | user-supplied input |
 | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | Cookie is constructed from a $@,and its secure flag is not properly set. | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | user-supplied input |
-| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its httponly flag is not properly set. | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | user-supplied input |
-| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its samesite flag is not properly set. | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | user-supplied input |
-| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its secure flag is not properly set. | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | user-supplied input |
-| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its httponly flag is not properly set. | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | user-supplied input |
-| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its samesite flag is not properly set. | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | user-supplied input |
-| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its secure flag is not properly set. | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | user-supplied input |
 | flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | flask_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its httponly flag is not properly set. | flask_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-supplied input |
 | flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | flask_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its samesite flag is not properly set. | flask_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-supplied input |
 | flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | flask_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its secure flag is not properly set. | flask_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-supplied input |

python/ql/test/experimental/query-tests/Security/CWE-614/InsecureCookie.expected

@@ -1,15 +1,9 @@
 | django_bad.py:6:5:7:52 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
 | django_bad.py:6:5:7:52 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
 | django_bad.py:6:5:7:52 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
-| django_bad.py:13:5:13:26 | ControlFlowNode for Subscript | Cookie is added without the 'httponly' flag properly set. |
-| django_bad.py:13:5:13:26 | ControlFlowNode for Subscript | Cookie is added without the 'samesite' flag properly set. |
-| django_bad.py:13:5:13:26 | ControlFlowNode for Subscript | Cookie is added without the 'secure' flag properly set. |
 | django_bad.py:19:5:21:66 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
 | django_bad.py:19:5:21:66 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
 | django_bad.py:19:5:21:66 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
-| django_bad.py:27:5:27:26 | ControlFlowNode for Subscript | Cookie is added without the 'httponly' flag properly set. |
-| django_bad.py:27:5:27:26 | ControlFlowNode for Subscript | Cookie is added without the 'samesite' flag properly set. |
-| django_bad.py:27:5:27:26 | ControlFlowNode for Subscript | Cookie is added without the 'secure' flag properly set. |
 | django_good.py:19:5:19:44 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
 | django_good.py:19:5:19:44 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
 | django_good.py:19:5:19:44 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |

python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py

@@ -7,7 +7,7 @@ def django_response(request):
                     httponly=False, samesite='None')
     return resp
 
-
+# This test no longer produces an output due to django header setting methods not being modeled in the main query pack
 def django_response():
     response = django.http.HttpResponse()
     response['Set-Cookie'] = "name=value; SameSite=None;"
@@ -21,7 +21,7 @@ def django_response(request):
                     secure=False, httponly=False, samesite='None')
     return resp
 
-
+# This test no longer produces an output due to django header setting methods not being modeled in the main query pack
 def django_response():
     response = django.http.HttpResponse()
     response['Set-Cookie'] = f"{django.http.request.GET.get('name')}={django.http.request.GET.get('value')}; SameSite=None;"