From d9c7401ea2e4dc008ea014de7828a29237252099 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Wed, 1 May 2024 10:56:19 +0200
Subject: [PATCH] Java: Deprecate the local content of UrlRedirectLocalQuery
 and remove the local query variant.

---
 .../java/security/UrlRedirectLocalQuery.qll   |  6 ++++--
 .../CWE/CWE-601/UrlRedirectLocal.qhelp        |  5 -----
 .../Security/CWE/CWE-601/UrlRedirectLocal.ql  | 21 -------------------
 3 files changed, 4 insertions(+), 28 deletions(-)
 delete mode 100644 java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.qhelp
 delete mode 100644 java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql

diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectLocalQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectLocalQuery.qll
index 8b2e0374322..f68fb959ea5 100644
--- a/java/ql/lib/semmle/code/java/security/UrlRedirectLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/UrlRedirectLocalQuery.qll
@@ -7,13 +7,15 @@ private import semmle.code.java.security.UrlRedirect
 /**
  * A taint-tracking configuration to reason about URL redirection from local sources.
  */
-module UrlRedirectLocalConfig implements DataFlow::ConfigSig {
+deprecated module UrlRedirectLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
 }
 
 /**
+ * DEPRECATED: Use `UrlRedirectFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for URL redirection from local sources.
  */
-module UrlRedirectLocalFlow = TaintTracking::Global<UrlRedirectLocalConfig>;
+deprecated module UrlRedirectLocalFlow = TaintTracking::Global<UrlRedirectLocalConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.qhelp b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.qhelp
deleted file mode 100644
index 05e5cf6fb49..00000000000
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.qhelp
+++ /dev/null
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="UrlRedirect.qhelp" /></qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
deleted file mode 100644
index 0ba8f5ec38c..00000000000
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
+++ /dev/null
@@ -1,21 +0,0 @@
-/**
- * @name URL redirection from local source
- * @description URL redirection based on unvalidated user-input
- *              may cause redirection to malicious web sites.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 6.1
- * @precision medium
- * @id java/unvalidated-url-redirection-local
- * @tags security
- *       external/cwe/cwe-601
- */
-
-import java
-import semmle.code.java.security.UrlRedirectLocalQuery
-import UrlRedirectLocalFlow::PathGraph
-
-from UrlRedirectLocalFlow::PathNode source, UrlRedirectLocalFlow::PathNode sink
-where UrlRedirectLocalFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
-  "user-provided value"