diff --git a/python/ql/lib/semmle/python/security/ClearText.qll b/python/ql/lib/semmle/python/security/ClearText.qll index 9905040da18..c466be17ae6 100644 --- a/python/ql/lib/semmle/python/security/ClearText.qll +++ b/python/ql/lib/semmle/python/security/ClearText.qll @@ -4,7 +4,7 @@ import semmle.python.security.SensitiveData import semmle.python.dataflow.Files import semmle.python.web.Http -module ClearTextStorage { +deprecated module ClearTextStorage { abstract class Sink extends TaintSink { override predicate sinks(TaintKind kind) { kind instanceof SensitiveData } } @@ -26,7 +26,7 @@ module ClearTextStorage { } } -module ClearTextLogging { +deprecated module ClearTextLogging { abstract class Sink extends TaintSink { override predicate sinks(TaintKind kind) { kind instanceof SensitiveData } } diff --git a/python/ql/lib/semmle/python/security/Crypto.qll b/python/ql/lib/semmle/python/security/Crypto.qll index 65ec8f13a6e..dbf53f8a0fa 100644 --- a/python/ql/lib/semmle/python/security/Crypto.qll +++ b/python/ql/lib/semmle/python/security/Crypto.qll @@ -3,12 +3,12 @@ import semmle.python.dataflow.TaintTracking private import semmle.python.security.SensitiveData private import semmle.crypto.Crypto as CryptoLib -abstract class WeakCryptoSink extends TaintSink { +abstract deprecated class WeakCryptoSink extends TaintSink { override predicate sinks(TaintKind taint) { taint instanceof SensitiveData } } /** Modeling the 'pycrypto' package https://github.com/dlitz/pycrypto (latest release 2013) */ -module Pycrypto { +deprecated module Pycrypto { ModuleValue cipher(string name) { result = Module::named("Crypto.Cipher").attr(name) } class CipherInstance extends TaintKind { @@ -58,7 +58,7 @@ module Pycrypto { } } -module Cryptography { +deprecated module Cryptography { ModuleValue ciphers() { result = Module::named("cryptography.hazmat.primitives.ciphers") and result.isPackage() @@ -128,7 +128,7 @@ module Cryptography { } } -private class CipherConfig extends TaintTracking::Configuration { +deprecated private class CipherConfig extends TaintTracking::Configuration { CipherConfig() { this = "Crypto cipher config" } override predicate isSource(TaintTracking::Source source) { diff --git a/python/ql/lib/semmle/python/security/Exceptions.qll b/python/ql/lib/semmle/python/security/Exceptions.qll index 7bc4374bd64..a335d4e3c35 100644 --- a/python/ql/lib/semmle/python/security/Exceptions.qll +++ b/python/ql/lib/semmle/python/security/Exceptions.qll @@ -7,13 +7,15 @@ import python import semmle.python.dataflow.TaintTracking import semmle.python.security.strings.Basic -private Value traceback_function(string name) { result = Module::named("traceback").attr(name) } +deprecated private Value traceback_function(string name) { + result = Module::named("traceback").attr(name) +} /** * This represents information relating to an exception, for instance the * message, arguments or parts of the exception traceback. */ -class ExceptionInfo extends StringKind { +deprecated class ExceptionInfo extends StringKind { ExceptionInfo() { this = "exception.info" } override string repr() { result = "exception info" } @@ -23,12 +25,12 @@ class ExceptionInfo extends StringKind { * A class representing sources of information about * execution state exposed in tracebacks and the like. */ -abstract class ErrorInfoSource extends TaintSource { } +abstract deprecated class ErrorInfoSource extends TaintSource { } /** * This kind represents exceptions themselves. */ -class ExceptionKind extends TaintKind { +deprecated class ExceptionKind extends TaintKind { ExceptionKind() { this = "exception.kind" } override string repr() { result = "exception" } @@ -44,7 +46,7 @@ class ExceptionKind extends TaintKind { * A source of exception objects, either explicitly created, or captured by an * `except` statement. */ -class ExceptionSource extends ErrorInfoSource { +deprecated class ExceptionSource extends ErrorInfoSource { ExceptionSource() { exists(ClassValue cls | cls.getASuperType() = ClassValue::baseException() and @@ -63,7 +65,7 @@ class ExceptionSource extends ErrorInfoSource { * Represents a sequence of pieces of information relating to an exception, * for instance the contents of the `args` attribute, or the stack trace. */ -class ExceptionInfoSequence extends SequenceKind { +deprecated class ExceptionInfoSequence extends SequenceKind { ExceptionInfoSequence() { this.getItem() instanceof ExceptionInfo } } @@ -71,7 +73,7 @@ class ExceptionInfoSequence extends SequenceKind { * Represents calls to functions in the `traceback` module that return * sequences of exception information. */ -class CallToTracebackFunction extends ErrorInfoSource { +deprecated class CallToTracebackFunction extends ErrorInfoSource { CallToTracebackFunction() { exists(string name | name in [ @@ -92,7 +94,7 @@ class CallToTracebackFunction extends ErrorInfoSource { * Represents calls to functions in the `traceback` module that return a single * string of information about an exception. */ -class FormattedTracebackSource extends ErrorInfoSource { +deprecated class FormattedTracebackSource extends ErrorInfoSource { FormattedTracebackSource() { this = traceback_function("format_exc").getACall() } override string toString() { result = "exception.info.source" } diff --git a/python/ql/lib/semmle/python/security/SensitiveData.qll b/python/ql/lib/semmle/python/security/SensitiveData.qll index 141555bda1a..7a955c0fd5a 100644 --- a/python/ql/lib/semmle/python/security/SensitiveData.qll +++ b/python/ql/lib/semmle/python/security/SensitiveData.qll @@ -15,7 +15,7 @@ import semmle.python.web.HttpRequest import semmle.python.security.internal.SensitiveDataHeuristics private import HeuristicNames -abstract class SensitiveData extends TaintKind { +abstract deprecated class SensitiveData extends TaintKind { bindingset[this] SensitiveData() { this = this } @@ -23,7 +23,7 @@ abstract class SensitiveData extends TaintKind { abstract SensitiveDataClassification getClassification(); } -module SensitiveData { +deprecated module SensitiveData { class Secret extends SensitiveData { Secret() { this = "sensitive.data.secret" } @@ -115,4 +115,4 @@ module SensitiveData { } //Backwards compatibility -class SensitiveDataSource = SensitiveData::Source; +deprecated class SensitiveDataSource = SensitiveData::Source; diff --git a/python/ql/lib/semmle/python/security/injection/Command.qll b/python/ql/lib/semmle/python/security/injection/Command.qll index 2bb4d275938..b8ae8b94563 100644 --- a/python/ql/lib/semmle/python/security/injection/Command.qll +++ b/python/ql/lib/semmle/python/security/injection/Command.qll @@ -11,18 +11,18 @@ import semmle.python.dataflow.TaintTracking import semmle.python.security.strings.Untrusted /** Abstract taint sink that is potentially vulnerable to malicious shell commands. */ -abstract class CommandSink extends TaintSink { } +abstract deprecated class CommandSink extends TaintSink { } -private ModuleObject osOrPopenModule() { result.getName() = ["os", "popen2"] } +deprecated private ModuleObject osOrPopenModule() { result.getName() = ["os", "popen2"] } -private Object makeOsCall() { +deprecated private Object makeOsCall() { exists(string name | result = ModuleObject::named("subprocess").attr(name) | name = ["Popen", "call", "check_call", "check_output", "run"] ) } /**Special case for first element in sequence. */ -class FirstElementKind extends TaintKind { +deprecated class FirstElementKind extends TaintKind { FirstElementKind() { this = "sequence[" + any(ExternalStringKind key) + "][0]" } override string repr() { result = "first item in sequence of " + this.getItem().repr() } @@ -31,7 +31,7 @@ class FirstElementKind extends TaintKind { ExternalStringKind getItem() { this = "sequence[" + result + "][0]" } } -class FirstElementFlow extends DataFlowExtension::DataFlowNode { +deprecated class FirstElementFlow extends DataFlowExtension::DataFlowNode { FirstElementFlow() { this = any(SequenceNode s).getElement(0) } override ControlFlowNode getASuccessorNode(TaintKind fromkind, TaintKind tokind) { @@ -43,7 +43,7 @@ class FirstElementFlow extends DataFlowExtension::DataFlowNode { * A taint sink that is potentially vulnerable to malicious shell commands. * The `vuln` in `subprocess.call(shell=vuln)` and similar calls. */ -class ShellCommand extends CommandSink { +deprecated class ShellCommand extends CommandSink { override string toString() { result = "shell command" } ShellCommand() { @@ -81,7 +81,7 @@ class ShellCommand extends CommandSink { * A taint sink that is potentially vulnerable to malicious shell commands. * The `vuln` in `subprocess.call(vuln, ...)` and similar calls. */ -class OsCommandFirstArgument extends CommandSink { +deprecated class OsCommandFirstArgument extends CommandSink { override string toString() { result = "OS command first argument" } OsCommandFirstArgument() { @@ -111,7 +111,7 @@ class OsCommandFirstArgument extends CommandSink { * A taint sink that is potentially vulnerable to malicious shell commands. * The `vuln` in `invoke.run(vuln, ...)` and similar calls. */ -class InvokeRun extends CommandSink { +deprecated class InvokeRun extends CommandSink { InvokeRun() { this = Value::named("invoke.run").(FunctionValue).getArgumentForCall(_, 0) or @@ -127,12 +127,12 @@ class InvokeRun extends CommandSink { * Internal TaintKind to track the invoke.Context instance passed to functions * marked with @invoke.task */ -private class InvokeContextArg extends TaintKind { +deprecated private class InvokeContextArg extends TaintKind { InvokeContextArg() { this = "InvokeContextArg" } } /** Internal TaintSource to track the context passed to functions marked with @invoke.task */ -private class InvokeContextArgSource extends TaintSource { +deprecated private class InvokeContextArgSource extends TaintSource { InvokeContextArgSource() { exists(Function f, Expr decorator | count(f.getADecorator()) = 1 and @@ -158,7 +158,7 @@ private class InvokeContextArgSource extends TaintSource { * A taint sink that is potentially vulnerable to malicious shell commands. * The `vuln` in `invoke.Context().run(vuln, ...)` and similar calls. */ -class InvokeContextRun extends CommandSink { +deprecated class InvokeContextRun extends CommandSink { InvokeContextRun() { exists(CallNode call | any(InvokeContextArg k).taints(call.getFunction().(AttrNode).getObject("run")) @@ -187,7 +187,7 @@ class InvokeContextRun extends CommandSink { * A taint sink that is potentially vulnerable to malicious shell commands. * The `vuln` in `fabric.Group().run(vuln, ...)` and similar calls. */ -class FabricGroupRun extends CommandSink { +deprecated class FabricGroupRun extends CommandSink { FabricGroupRun() { exists(ClassValue cls | cls.getASuperType() = Value::named("fabric.Group") and @@ -203,7 +203,7 @@ class FabricGroupRun extends CommandSink { // -------------------------------------------------------------------------- // // Modeling of the 'invoke' package and 'fabric' package (v 1.x) // -------------------------------------------------------------------------- // -class FabricV1Commands extends CommandSink { +deprecated class FabricV1Commands extends CommandSink { FabricV1Commands() { // since `run` and `sudo` are decorated, we can't use FunctionValue's :( exists(CallNode call | @@ -228,7 +228,7 @@ class FabricV1Commands extends CommandSink { * An extension that propagates taint from the arguments of `fabric.api.execute(func, arg0, arg1, ...)` * to the parameters of `func`, since this will call `func(arg0, arg1, ...)`. */ -class FabricExecuteExtension extends DataFlowExtension::DataFlowNode { +deprecated class FabricExecuteExtension extends DataFlowExtension::DataFlowNode { CallNode call; FabricExecuteExtension() { diff --git a/python/ql/lib/semmle/python/security/injection/Deserialization.qll b/python/ql/lib/semmle/python/security/injection/Deserialization.qll index 029705cd807..b516a2d6b2f 100644 --- a/python/ql/lib/semmle/python/security/injection/Deserialization.qll +++ b/python/ql/lib/semmle/python/security/injection/Deserialization.qll @@ -2,7 +2,7 @@ import python import semmle.python.dataflow.TaintTracking /** `pickle.loads(untrusted)` vulnerability. */ -abstract class DeserializationSink extends TaintSink { +abstract deprecated class DeserializationSink extends TaintSink { bindingset[this] DeserializationSink() { this = this } } diff --git a/python/ql/lib/semmle/python/security/injection/Exec.qll b/python/ql/lib/semmle/python/security/injection/Exec.qll index b5008a94e3b..3ff84915ae0 100644 --- a/python/ql/lib/semmle/python/security/injection/Exec.qll +++ b/python/ql/lib/semmle/python/security/injection/Exec.qll @@ -14,7 +14,7 @@ import semmle.python.security.strings.Untrusted * A taint sink that represents an argument to exec or eval that is vulnerable to malicious input. * The `vuln` in `exec(vuln)` or similar. */ -class StringEvaluationNode extends TaintSink { +deprecated class StringEvaluationNode extends TaintSink { override string toString() { result = "exec or eval" } StringEvaluationNode() { diff --git a/python/ql/lib/semmle/python/security/injection/Marshal.qll b/python/ql/lib/semmle/python/security/injection/Marshal.qll index a77c7cd6278..815890903bd 100644 --- a/python/ql/lib/semmle/python/security/injection/Marshal.qll +++ b/python/ql/lib/semmle/python/security/injection/Marshal.qll @@ -11,13 +11,15 @@ import semmle.python.dataflow.TaintTracking import semmle.python.security.strings.Untrusted import semmle.python.security.injection.Deserialization -private FunctionObject marshalLoads() { result = ModuleObject::named("marshal").attr("loads") } +deprecated private FunctionObject marshalLoads() { + result = ModuleObject::named("marshal").attr("loads") +} /** * A taint sink that is potentially vulnerable to malicious marshaled objects. * The `vuln` in `marshal.loads(vuln)`. */ -class UnmarshalingNode extends DeserializationSink { +deprecated class UnmarshalingNode extends DeserializationSink { override string toString() { result = "unmarshaling vulnerability" } UnmarshalingNode() { diff --git a/python/ql/lib/semmle/python/security/injection/Path.qll b/python/ql/lib/semmle/python/security/injection/Path.qll index ee470932749..73d76104493 100644 --- a/python/ql/lib/semmle/python/security/injection/Path.qll +++ b/python/ql/lib/semmle/python/security/injection/Path.qll @@ -6,7 +6,7 @@ import semmle.python.security.strings.Untrusted * Prevents taint flowing through ntpath.normpath() * NormalizedPath below handles that case. */ -class PathSanitizer extends Sanitizer { +deprecated class PathSanitizer extends Sanitizer { PathSanitizer() { this = "path.sanitizer" } override predicate sanitizingNode(TaintKind taint, ControlFlowNode node) { @@ -15,7 +15,7 @@ class PathSanitizer extends Sanitizer { } } -private FunctionObject abspath() { +deprecated private FunctionObject abspath() { exists(ModuleObject os_path | ModuleObject::named("os").attr("path") = os_path | os_path.attr("abspath") = result or @@ -24,18 +24,18 @@ private FunctionObject abspath() { } /** A path that has been normalized, but not verified to be safe */ -class NormalizedPath extends TaintKind { +deprecated class NormalizedPath extends TaintKind { NormalizedPath() { this = "normalized.path.injection" } override string repr() { result = "normalized path" } } -private predicate abspath_call(CallNode call, ControlFlowNode arg) { +deprecated private predicate abspath_call(CallNode call, ControlFlowNode arg) { call.getFunction().refersTo(abspath()) and arg = call.getArg(0) } -class AbsPath extends DataFlowExtension::DataFlowNode { +deprecated class AbsPath extends DataFlowExtension::DataFlowNode { AbsPath() { abspath_call(_, this) } override ControlFlowNode getASuccessorNode(TaintKind fromkind, TaintKind tokind) { @@ -45,7 +45,7 @@ class AbsPath extends DataFlowExtension::DataFlowNode { } } -class NormalizedPathSanitizer extends Sanitizer { +deprecated class NormalizedPathSanitizer extends Sanitizer { NormalizedPathSanitizer() { this = "normalized.path.sanitizer" } override predicate sanitizingEdge(TaintKind taint, PyEdgeRefinement test) { @@ -59,7 +59,7 @@ class NormalizedPathSanitizer extends Sanitizer { * A taint sink that is vulnerable to malicious paths. * The `vuln` in `open(vuln)` and similar. */ -class OpenNode extends TaintSink { +deprecated class OpenNode extends TaintSink { override string toString() { result = "argument to open()" } OpenNode() { diff --git a/python/ql/lib/semmle/python/security/injection/Pickle.qll b/python/ql/lib/semmle/python/security/injection/Pickle.qll index f668c7011fe..621eccbd6ce 100644 --- a/python/ql/lib/semmle/python/security/injection/Pickle.qll +++ b/python/ql/lib/semmle/python/security/injection/Pickle.qll @@ -11,7 +11,7 @@ import semmle.python.dataflow.TaintTracking import semmle.python.security.strings.Untrusted import semmle.python.security.injection.Deserialization -private ModuleObject pickleModule() { +deprecated private ModuleObject pickleModule() { result.getName() = "pickle" or result.getName() = "cPickle" @@ -19,10 +19,10 @@ private ModuleObject pickleModule() { result.getName() = "dill" } -private FunctionObject pickleLoads() { result = pickleModule().attr("loads") } +deprecated private FunctionObject pickleLoads() { result = pickleModule().attr("loads") } /** `pickle.loads(untrusted)` vulnerability. */ -class UnpicklingNode extends DeserializationSink { +deprecated class UnpicklingNode extends DeserializationSink { override string toString() { result = "unpickling untrusted data" } UnpicklingNode() { diff --git a/python/ql/lib/semmle/python/security/injection/Sql.qll b/python/ql/lib/semmle/python/security/injection/Sql.qll index 5ded218fc9e..b2e2cd47715 100644 --- a/python/ql/lib/semmle/python/security/injection/Sql.qll +++ b/python/ql/lib/semmle/python/security/injection/Sql.qll @@ -11,7 +11,7 @@ import semmle.python.dataflow.TaintTracking import semmle.python.security.strings.Untrusted import semmle.python.security.SQL -private StringObject first_part(ControlFlowNode command) { +deprecated private StringObject first_part(ControlFlowNode command) { command.(BinaryExprNode).getOp() instanceof Add and command.(BinaryExprNode).getLeft().refersTo(result) or @@ -26,7 +26,7 @@ private StringObject first_part(ControlFlowNode command) { } /** Holds if `command` appears to be a SQL command string of which `inject` is a part. */ -predicate probable_sql_command(ControlFlowNode command, ControlFlowNode inject) { +deprecated predicate probable_sql_command(ControlFlowNode command, ControlFlowNode inject) { exists(string prefix | inject = command.getAChild*() and first_part(command).getText().regexpMatch(" *" + prefix + ".*") @@ -39,7 +39,7 @@ predicate probable_sql_command(ControlFlowNode command, ControlFlowNode inject) * A taint kind representing a DB cursor. * This will be overridden to provide specific kinds of DB cursor. */ -abstract class DbCursor extends TaintKind { +abstract deprecated class DbCursor extends TaintKind { bindingset[this] DbCursor() { any() } @@ -50,7 +50,7 @@ abstract class DbCursor extends TaintKind { * A part of a string that appears to be a SQL command and is thus * vulnerable to malicious input. */ -class SimpleSqlStringInjection extends SqlInjectionSink { +deprecated class SimpleSqlStringInjection extends SqlInjectionSink { override string toString() { result = "simple SQL string injection" } SimpleSqlStringInjection() { probable_sql_command(_, this) } @@ -62,13 +62,13 @@ class SimpleSqlStringInjection extends SqlInjectionSink { * A taint source representing sources of DB connections. * This will be overridden to provide specific kinds of DB connection sources. */ -abstract class DbConnectionSource extends TaintSource { } +abstract deprecated class DbConnectionSource extends TaintSource { } /** * A taint sink that is vulnerable to malicious SQL queries. * The `vuln` in `db.connection.execute(vuln)` and similar. */ -class DbConnectionExecuteArgument extends SqlInjectionSink { +deprecated class DbConnectionExecuteArgument extends SqlInjectionSink { override string toString() { result = "db.connection.execute" } DbConnectionExecuteArgument() { diff --git a/python/ql/lib/semmle/python/security/injection/Xml.qll b/python/ql/lib/semmle/python/security/injection/Xml.qll index afa0776ef15..6f61e0a5ef5 100644 --- a/python/ql/lib/semmle/python/security/injection/Xml.qll +++ b/python/ql/lib/semmle/python/security/injection/Xml.qll @@ -11,23 +11,25 @@ import semmle.python.dataflow.TaintTracking import semmle.python.security.strings.Untrusted import semmle.python.security.injection.Deserialization -private ModuleObject xmlElementTreeModule() { result.getName() = "xml.etree.ElementTree" } +deprecated private ModuleObject xmlElementTreeModule() { + result.getName() = "xml.etree.ElementTree" +} -private ModuleObject xmlMiniDomModule() { result.getName() = "xml.dom.minidom" } +deprecated private ModuleObject xmlMiniDomModule() { result.getName() = "xml.dom.minidom" } -private ModuleObject xmlPullDomModule() { result.getName() = "xml.dom.pulldom" } +deprecated private ModuleObject xmlPullDomModule() { result.getName() = "xml.dom.pulldom" } -private ModuleObject xmlSaxModule() { result.getName() = "xml.sax" } +deprecated private ModuleObject xmlSaxModule() { result.getName() = "xml.sax" } -private class ExpatParser extends TaintKind { +deprecated private class ExpatParser extends TaintKind { ExpatParser() { this = "expat.parser" } } -private FunctionObject expatCreateParseFunction() { +deprecated private FunctionObject expatCreateParseFunction() { result = ModuleObject::named("xml.parsers.expat").attr("ParserCreate") } -private class ExpatCreateParser extends TaintSource { +deprecated private class ExpatCreateParser extends TaintSource { ExpatCreateParser() { expatCreateParseFunction().getACall() = this } override predicate isSourceOf(TaintKind kind) { kind instanceof ExpatParser } @@ -35,7 +37,7 @@ private class ExpatCreateParser extends TaintSource { override string toString() { result = "expat.create.parser" } } -private FunctionObject xmlFromString() { +deprecated private FunctionObject xmlFromString() { result = xmlElementTreeModule().attr("fromstring") or result = xmlMiniDomModule().attr("parseString") @@ -46,7 +48,7 @@ private FunctionObject xmlFromString() { } /** A (potentially) malicious XML string. */ -class ExternalXmlString extends ExternalStringKind { +deprecated class ExternalXmlString extends ExternalStringKind { ExternalXmlString() { this = "external xml encoded object" } } @@ -54,7 +56,7 @@ class ExternalXmlString extends ExternalStringKind { * A call to an XML library function that is potentially vulnerable to a * specially crafted XML string. */ -class XmlLoadNode extends DeserializationSink { +deprecated class XmlLoadNode extends DeserializationSink { override string toString() { result = "xml.load vulnerability" } XmlLoadNode() { diff --git a/python/ql/lib/semmle/python/security/injection/Yaml.qll b/python/ql/lib/semmle/python/security/injection/Yaml.qll index f8f92fff609..585552442f7 100644 --- a/python/ql/lib/semmle/python/security/injection/Yaml.qll +++ b/python/ql/lib/semmle/python/security/injection/Yaml.qll @@ -11,10 +11,10 @@ import semmle.python.dataflow.TaintTracking import semmle.python.security.strings.Untrusted import semmle.python.security.injection.Deserialization -private FunctionObject yamlLoad() { result = ModuleObject::named("yaml").attr("load") } +deprecated private FunctionObject yamlLoad() { result = ModuleObject::named("yaml").attr("load") } /** `yaml.load(untrusted)` vulnerability. */ -class YamlLoadNode extends DeserializationSink { +deprecated class YamlLoadNode extends DeserializationSink { override string toString() { result = "yaml.load vulnerability" } YamlLoadNode() {