Java: Deprecate the content of NumericCastTaintedLocalQuery, remove the local query variant and update the non-local query variant.

2026-04-26 09:15:12 +02:00 · 2024-04-30 15:50:36 +02:00
parent 301a6cc191
commit d05c5e3d94
7 changed files with 11 additions and 37 deletions
--- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll
@@ -113,7 +113,7 @@ module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
 * A taint-tracking configuration for reasoning about local user input that is
 * used in a numeric cast.
 */
-module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
+deprecated module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) {
@@ -134,6 +134,8 @@ module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `NumericCastFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for local user input that is used in a numeric cast.
 */
-module NumericCastLocalFlow = TaintTracking::Global<NumericCastLocalFlowConfig>;
+deprecated module NumericCastLocalFlow = TaintTracking::Global<NumericCastLocalFlowConfig>;
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="NumericCastTainted.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
@@ -1,29 +0,0 @@
-/**
- * @name Local-user-controlled data in numeric cast
- * @description Casting user-controlled numeric data to a narrower type without validation
- *              can cause unexpected truncation.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 9.0
- * @precision medium
- * @id java/tainted-numeric-cast-local
- * @tags security
- *       external/cwe/cwe-197
- *       external/cwe/cwe-681
- */
-
-import java
-import semmle.code.java.security.NumericCastTaintedQuery
-import NumericCastLocalFlow::PathGraph
-
-from
-  NumericCastLocalFlow::PathNode source, NumericCastLocalFlow::PathNode sink,
-  NumericNarrowingCastExpr exp, VarAccess tainted
-where
-  exp.getExpr() = tainted and
-  sink.getNode().asExpr() = tainted and
-  NumericCastLocalFlow::flowPath(source, sink) and
-  not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
-select exp, source, sink,
-  "This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
-  "user-provided value"
--- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected
--- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.ext.yml
+++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.qlref
+++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-681/NumericCastTainted.ql
--- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.qlref
+++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-681/NumericCastTaintedLocal.ql
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-681/NumericCastTaintedLocal.ql`