remove CodeInjection from ATM

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CodeInjectionATM.qll

@@ -1,67 +0,0 @@
-/**
- * Provides a taint-tracking configuration for reasoning about code
- * injection vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `CodeInjection::Configuration` is needed, otherwise
- * `CodeInjectionCustomizations` should be imported instead.
- * Is boosted by ATM.
- */
-
-import javascript
-import AdaptiveThreatModeling
-import semmle.javascript.security.dataflow.CodeInjectionCustomizations::CodeInjection
-
-/**
- * This module provides logic to filter candidate sinks to those which are likely XSS sinks.
- */
-module SinkEndpointFilter {
-  private import StandardEndpointFilters as StandardEndpointFilters
-
-  /**
-   * Provides a set of reasons why a given data flow node should be excluded as a sink candidate.
-   *
-   * If this predicate has no results for a sink candidate `n`, then we should treat `n` as an
-   * effective sink.
-   */
-  string getAReasonSinkExcluded(DataFlow::Node sinkCandidate) {
-    result = StandardEndpointFilters::getAReasonSinkExcluded(sinkCandidate)
-  }
-}
-
-class CodeInjectionAtmConfig extends ATMConfig {
-  CodeInjectionAtmConfig() { this = "CodeInjectionATMConfig" }
-
-  override predicate isKnownSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isKnownSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isEffectiveSink(DataFlow::Node sinkCandidate) {
-    not exists(SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate))
-  }
-
-  override EndpointType getASinkEndpointType() { result instanceof CodeInjectionSinkType }
-}
-
-/**
- * A taint-tracking configuration for reasoning about code injection vulnerabilities.
- */
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "CodeInjectionATMConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) {
-    (sink instanceof Sink or any(CodeInjectionAtmConfig cfg).isEffectiveSink(sink))
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof Sanitizer
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
-    // HTML sanitizers are insufficient protection against code injection
-    src = trg.(HtmlSanitizerCall).getInput()
-  }
-}

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointTypes.qll

@@ -10,8 +10,7 @@ newtype TEndpointType =
   TXssSinkType() or
   TNosqlInjectionSinkType() or
   TSqlInjectionSinkType() or
-  TTaintedPathSinkType() or
-  TCodeInjectionSinkType()
+  TTaintedPathSinkType()
 
 /** A class that can be predicted by endpoint scoring models. */
 abstract class EndpointType extends TEndpointType {
@@ -56,10 +55,3 @@ class TaintedPathSinkType extends EndpointType, TTaintedPathSinkType {
 
   override int getEncoding() { result = 4 }
 }
-
-/** The `CodeInjectionSink` class that can be predicted by endpoint scoring models. */
-class CodeInjectionSinkType extends EndpointType, TCodeInjectionSinkType {
-  override string getDescription() { result = "CodeInjectionSink" }
-
-  override int getEncoding() { result = 5 }
-}

javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/CodeInjection.ql

@@ -1,26 +0,0 @@
-/**
- * CodeInjection.ql
- *
- * Version of the standard Code Injection query with an output relation ready to plug into the evaluation
- * pipeline.
- *
- * Standard query: javascript/ql/src/Security/CWE-094/CodeInjection.ql
- */
-
-import semmle.javascript.security.dataflow.CodeInjectionQuery
-import EndToEndEvaluation as EndToEndEvaluation
-
-from
-  DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
-  int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
-  int startLineSource, int endLineSource, int startColumnSource, int endColumnSource
-where
-  cfg instanceof Configuration and
-  cfg.hasFlow(source, sink) and
-  not EndToEndEvaluation::isFlowExcluded(source, sink) and
-  sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
-  source
-      .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
-        endColumnSource)
-select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
-  sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/CodeInjectionATM.ql

@@ -1,28 +0,0 @@
-/**
- * CodeInjectionATM.ql
- *
- * Version of the boosted Code Injection query with an output relation ready to plug into the evaluation
- * pipeline.
- */
-
-import ATM::ResultsInfo
-import EndToEndEvaluation as EndToEndEvaluation
-import experimental.adaptivethreatmodeling.CodeInjectionATM
-
-from
-  DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
-  int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
-  int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
-where
-  cfg.hasFlow(source, sink) and
-  not EndToEndEvaluation::isFlowExcluded(source, sink) and
-  not isFlowLikelyInBaseQuery(source, sink) and
-  sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
-  source
-      .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
-        endColumnSource) and
-  getScoreForFlow(source, sink) = score
-select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
-  sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
-    score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
-    startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/CodeInjectionATMLite.ql

@@ -1,30 +0,0 @@
-/**
- * CodeInjectionATMLite.ql
- *
- * Arbitrarily ranked version of the boosted XSS query with an output relation ready to plug into
- * the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint filters,
- * and (b) as a baseline to compare the model against.
- */
-
-import javascript
-import ATM::ResultsInfo
-import EndToEndEvaluation as EndToEndEvaluation
-import experimental.adaptivethreatmodeling.CodeInjectionATM
-
-from
-  DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
-  int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
-  int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
-where
-  cfg.hasFlow(source, sink) and
-  not EndToEndEvaluation::isFlowExcluded(source, sink) and
-  not isFlowLikelyInBaseQuery(source, sink) and
-  sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
-  source
-      .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
-        endColumnSource) and
-  score = 0
-select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
-  sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
-    score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
-    startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll

@@ -14,7 +14,6 @@ import experimental.adaptivethreatmodeling.EndpointFeatures as EndpointFeatures
 import experimental.adaptivethreatmodeling.EndpointScoring as EndpointScoring
 import experimental.adaptivethreatmodeling.EndpointTypes
 import experimental.adaptivethreatmodeling.FilteringReasons
-import experimental.adaptivethreatmodeling.CodeInjectionATM as CodeInjectionATM
 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
@@ -26,8 +25,6 @@ import Queries
 
 /** Gets the ATM configuration object for the specified query. */
 AtmConfig getAtmCfg(Query query) {
-  query instanceof CodeInjectionQuery and result instanceof CodeInjectionATM::CodeInjectionAtmConfig
-  or
   query instanceof NosqlInjectionQuery and
   result instanceof NosqlInjectionATM::NosqlInjectionAtmConfig
   or
@@ -45,8 +42,6 @@ deprecated ATMConfig getATMCfg(Query query) { result = getAtmCfg(query) }
 
 /** Gets the ATM data flow configuration for the specified query. */
 DataFlow::Configuration getDataFlowCfg(Query query) {
-  query instanceof CodeInjectionQuery and result instanceof CodeInjectionATM::Configuration
-  or
   query instanceof NosqlInjectionQuery and result instanceof NosqlInjectionATM::Configuration
   or
   query instanceof SqlInjectionQuery and result instanceof SqlInjectionATM::Configuration

javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointMapping.ql

@@ -4,7 +4,6 @@
  * Maps ML-powered queries to their `EndpointType` for clearer labelling while evaluating ML model during training.
  */
 
-import experimental.adaptivethreatmodeling.CodeInjectionATM as CodeInjectionATM
 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
@@ -15,8 +14,6 @@ import experimental.adaptivethreatmodeling.AdaptiveThreatModeling
 from string queryName, AtmConfig c, EndpointType e
 where
   (
-    queryName = "CodeInjection" and c instanceof CodeInjectionATM::CodeInjectionAtmConfig
-    or
     queryName = "SqlInjection" and
     c instanceof SqlInjectionATM::SqlInjectionAtmConfig
     or

javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/Queries.qll

@@ -18,10 +18,6 @@ abstract class Query extends TQuery {
   string toString() { result = getName() }
 }
 
-class CodeInjectionQuery extends Query, TCodeInjectionQuery {
-  override string getName() { result = "CodeInjection" }
-}
-
 class NosqlInjectionQuery extends Query, TNosqlInjectionQuery {
   override string getName() { result = "NosqlInjection" }
 }