mirror of
https://github.com/github/codeql.git
synced 2026-04-24 08:15:14 +02:00
Refactor Customizations libraries to use ThreatModelFlowSource
This commit is contained in:
Ed Minnix
@@ -31,12 +31,12 @@ module CommandInjection {
|
||||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
|
||||
* DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead.
|
||||
*/
|
||||
deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
|
||||
deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource;
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for command injection. */
|
||||
private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }
|
||||
|
||||
/** A command name, considered as a taint sink for command injection. */
|
||||
class CommandNameAsSink extends Sink {
|
||||
|
||||
@@ -26,12 +26,12 @@ module LogInjection {
|
||||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
|
||||
* DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead.
|
||||
*/
|
||||
deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
|
||||
deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource;
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for log injection. */
|
||||
private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }
|
||||
|
||||
/** An argument to a logging mechanism. */
|
||||
class LoggerSink extends Sink {
|
||||
|
||||
@@ -49,7 +49,7 @@ module MissingJwtSignatureCheck {
|
||||
}
|
||||
}
|
||||
|
||||
private class DefaultSource extends Source instanceof RemoteFlowSource { }
|
||||
private class DefaultSource extends Source instanceof ThreatModelFlowSource { }
|
||||
|
||||
private class DefaultSink extends Sink {
|
||||
DefaultSink() { sinkNode(this, "jwt") }
|
||||
|
||||
@@ -43,15 +43,15 @@ module OpenUrlRedirect {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
|
||||
* DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead.
|
||||
*/
|
||||
deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
|
||||
deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource;
|
||||
|
||||
/**
|
||||
* A source of third-party user input, considered as a flow source for URL redirects.
|
||||
*/
|
||||
private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource {
|
||||
RemoteFlowAsSource() {
|
||||
private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource {
|
||||
ThreatModelFlowAsSource() {
|
||||
// exclude some fields and methods of URLs that are generally not attacker-controllable for
|
||||
// open redirect exploits
|
||||
not this instanceof Http::Redirect::UnexploitableSource
|
||||
|
||||
@@ -35,14 +35,14 @@ module ReflectedXss {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
|
||||
* DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead.
|
||||
*/
|
||||
deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
|
||||
deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource;
|
||||
|
||||
/**
|
||||
* A third-party controllable input, considered as a flow source for reflected XSS.
|
||||
*/
|
||||
private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }
|
||||
|
||||
/** An arbitrary XSS sink, considered as a flow sink for stored XSS. */
|
||||
private class AnySink extends Sink instanceof SharedXss::Sink { }
|
||||
|
||||
@@ -33,14 +33,14 @@ module RequestForgery {
|
||||
abstract class SanitizerEdge extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
|
||||
* DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead.
|
||||
*/
|
||||
deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
|
||||
deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource;
|
||||
|
||||
/**
|
||||
* A third-party controllable input, considered as a flow source for request forgery.
|
||||
*/
|
||||
private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }
|
||||
|
||||
/**
|
||||
* The URL of an HTTP request, viewed as a sink for request forgery.
|
||||
|
||||
@@ -26,12 +26,12 @@ module SqlInjection {
|
||||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
|
||||
* DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead.
|
||||
*/
|
||||
deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
|
||||
deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource;
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for SQL injection. */
|
||||
private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }
|
||||
|
||||
/** An SQL string, considered as a taint sink for SQL injection. */
|
||||
class SqlQueryAsSink extends Sink instanceof SQL::QueryString { }
|
||||
|
||||
@@ -45,12 +45,12 @@ module TaintedPath {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
|
||||
* DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead.
|
||||
*/
|
||||
deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
|
||||
deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource;
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for path traversal. */
|
||||
private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }
|
||||
|
||||
/** A path expression, considered as a taint sink for path traversal. */
|
||||
class PathAsSink extends Sink {
|
||||
|
||||
@@ -21,7 +21,7 @@ module UncontrolledAllocationSize {
|
||||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for uncontrolled size allocation vulnerabilities. */
|
||||
private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }
|
||||
|
||||
/** The size argument of a memory allocation function. */
|
||||
private class AllocationSizeAsSink extends Sink instanceof AllocationSizeOverflow::AllocationSize {
|
||||
|
||||
@@ -25,12 +25,12 @@ module XPathInjection {
|
||||
abstract class Sanitizer extends DataFlow::ExprNode { }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
|
||||
* DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead.
|
||||
*/
|
||||
deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
|
||||
deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource;
|
||||
|
||||
/** A source of untrusted data, used in an XPath expression. */
|
||||
private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }
|
||||
|
||||
/** An XPath expression string, considered as a taint sink for XPath injection. */
|
||||
class XPathExpressionStringAsSink extends Sink instanceof XPath::XPathExpressionString { }
|
||||
|
||||
@@ -17,12 +17,12 @@ module EmailInjection {
|
||||
abstract class Sink extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
|
||||
* DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead.
|
||||
*/
|
||||
deprecated class UntrustedFlowSourceAsSource = RemoteFlowSourceAsSource;
|
||||
deprecated class UntrustedFlowSourceAsSource = ThreatModelFlowAsSource;
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for email injection. */
|
||||
private class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource { }
|
||||
private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { }
|
||||
|
||||
/**
|
||||
* A data-flow node that becomes part of an email considered as a taint sink for email injection.
|
||||
|
||||
Reference in New Issue
Block a user