mirror of
https://github.com/github/codeql.git
synced 2025-12-24 04:36:35 +01:00
Merge pull request #10075 from erik-krogh/depOld
delete old deprecations
This commit is contained in:
Erik Krogh Kristensen
@@ -0,0 +1,6 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Most deprecated predicates/classes/modules that have been deprecated for over a year have been
|
||||
deleted.
|
||||
|
||||
@@ -9,118 +9,6 @@ private import semmle.javascript.dataflow.internal.StepSummary
|
||||
private import semmle.javascript.dataflow.internal.PreCallGraphStep
|
||||
private import DataFlow::PseudoProperties
|
||||
|
||||
/**
|
||||
* DEPRECATED. Exists only to support other deprecated elements.
|
||||
*
|
||||
* Type-tracking now automatically determines the set of pseudo-properties to include
|
||||
* ased on which properties are contributed by `SharedTaintStep`s.
|
||||
*/
|
||||
deprecated private class PseudoProperty extends string {
|
||||
PseudoProperty() {
|
||||
this = [arrayLikeElement(), "1"] or // the "1" is required for the `ForOfStep`.
|
||||
this =
|
||||
[
|
||||
mapValue(any(DataFlow::CallNode c | c.getCalleeName() = "set").getArgument(0)),
|
||||
mapValueAll()
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED. Use `SharedFlowStep` or `SharedTaintTrackingStep` instead.
|
||||
*/
|
||||
abstract deprecated class CollectionFlowStep extends DataFlow::AdditionalFlowStep {
|
||||
final override predicate step(DataFlow::Node pred, DataFlow::Node succ) { none() }
|
||||
|
||||
final override predicate step(
|
||||
DataFlow::Node p, DataFlow::Node s, DataFlow::FlowLabel pl, DataFlow::FlowLabel sl
|
||||
) {
|
||||
none()
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the property `prop` of the object `pred` should be loaded into `succ`.
|
||||
*/
|
||||
predicate load(DataFlow::Node pred, DataFlow::Node succ, PseudoProperty prop) { none() }
|
||||
|
||||
final override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
|
||||
this.load(pred, succ, prop)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred` should be stored in the object `succ` under the property `prop`.
|
||||
*/
|
||||
predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, PseudoProperty prop) { none() }
|
||||
|
||||
final override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
|
||||
this.store(pred, succ, prop)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the property `prop` should be copied from the object `pred` to the object `succ`.
|
||||
*/
|
||||
predicate loadStore(DataFlow::Node pred, DataFlow::Node succ, PseudoProperty prop) { none() }
|
||||
|
||||
final override predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
|
||||
this.loadStore(pred, succ, prop, prop)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the property `loadProp` should be copied from the object `pred` to the property `storeProp` of object `succ`.
|
||||
*/
|
||||
predicate loadStore(
|
||||
DataFlow::Node pred, DataFlow::Node succ, PseudoProperty loadProp, PseudoProperty storeProp
|
||||
) {
|
||||
none()
|
||||
}
|
||||
|
||||
final override predicate loadStoreStep(
|
||||
DataFlow::Node pred, DataFlow::Node succ, string loadProp, string storeProp
|
||||
) {
|
||||
this.loadStore(pred, succ, loadProp, storeProp)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED. These steps are now included in the default type tracking steps,
|
||||
* in most cases one can simply use those instead.
|
||||
*/
|
||||
deprecated module CollectionsTypeTracking {
|
||||
/**
|
||||
* Gets the result from a single step through a collection, from `pred` to `result` summarized by `summary`.
|
||||
*/
|
||||
pragma[inline]
|
||||
DataFlow::SourceNode collectionStep(DataFlow::Node pred, StepSummary summary) {
|
||||
exists(PseudoProperty field |
|
||||
summary = LoadStep(field) and
|
||||
DataFlow::SharedTypeTrackingStep::loadStep(pred, result, field) and
|
||||
not field = mapValueUnknownKey() // prune unknown reads in type-tracking
|
||||
or
|
||||
summary = StoreStep(field) and
|
||||
DataFlow::SharedTypeTrackingStep::storeStep(pred, result, field)
|
||||
or
|
||||
summary = CopyStep(field) and
|
||||
DataFlow::SharedTypeTrackingStep::loadStoreStep(pred, result, field)
|
||||
or
|
||||
exists(PseudoProperty toField | summary = LoadStoreStep(field, toField) |
|
||||
DataFlow::SharedTypeTrackingStep::loadStoreStep(pred, result, field, toField)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the result from a single step through a collection, from `pred` with tracker `t2` to `result` with tracker `t`.
|
||||
*/
|
||||
pragma[inline]
|
||||
DataFlow::SourceNode collectionStep(
|
||||
DataFlow::SourceNode pred, DataFlow::TypeTracker t, DataFlow::TypeTracker t2
|
||||
) {
|
||||
exists(DataFlow::Node mid, StepSummary summary | pred.flowsTo(mid) and t = t2.append(summary) |
|
||||
result = collectionStep(mid, summary)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A module for data-flow steps related standard library collection implementations.
|
||||
*/
|
||||
|
||||
@@ -523,74 +523,6 @@ abstract class LabeledBarrierGuardNode extends BarrierGuardNode {
|
||||
override predicate blocks(boolean outcome, Expr e) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED. Subclasses should extend `SharedFlowStep` instead, unless the subclass
|
||||
* is part of a query, in which case it should be moved into the `isAdditionalFlowStep` predicate
|
||||
* of the relevant data-flow configuration.
|
||||
* Other uses of the predicate in this class should instead reference the predicates in the
|
||||
* `SharedFlowStep::` module, such as `SharedFlowStep::step`.
|
||||
*
|
||||
* A data flow edge that should be added to all data flow configurations in
|
||||
* addition to standard data flow edges.
|
||||
*
|
||||
* Note: For performance reasons, all subclasses of this class should be part
|
||||
* of the standard library. Override `Configuration::isAdditionalFlowStep`
|
||||
* for analysis-specific flow steps.
|
||||
*/
|
||||
deprecated class AdditionalFlowStep = LegacyAdditionalFlowStep;
|
||||
|
||||
// Internal version of AdditionalFlowStep that we can reference without deprecation warnings.
|
||||
abstract private class LegacyAdditionalFlowStep extends DataFlow::Node {
|
||||
/**
|
||||
* Holds if `pred` → `succ` should be considered a data flow edge.
|
||||
*/
|
||||
predicate step(DataFlow::Node pred, DataFlow::Node succ) { none() }
|
||||
|
||||
/**
|
||||
* Holds if `pred` → `succ` should be considered a data flow edge
|
||||
* transforming values with label `predlbl` to have label `succlbl`.
|
||||
*/
|
||||
predicate step(
|
||||
DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel predlbl,
|
||||
DataFlow::FlowLabel succlbl
|
||||
) {
|
||||
none()
|
||||
}
|
||||
|
||||
/**
|
||||
* EXPERIMENTAL. This API may change in the future.
|
||||
*
|
||||
* Holds if `pred` should be stored in the object `succ` under the property `prop`.
|
||||
* The object `succ` must be a `DataFlow::SourceNode` for the object wherein the value is stored.
|
||||
*/
|
||||
predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }
|
||||
|
||||
/**
|
||||
* EXPERIMENTAL. This API may change in the future.
|
||||
*
|
||||
* Holds if the property `prop` of the object `pred` should be loaded into `succ`.
|
||||
*/
|
||||
predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
|
||||
|
||||
/**
|
||||
* EXPERIMENTAL. This API may change in the future.
|
||||
*
|
||||
* Holds if the property `prop` should be copied from the object `pred` to the object `succ`.
|
||||
*/
|
||||
predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
|
||||
|
||||
/**
|
||||
* EXPERIMENTAL. This API may change in the future.
|
||||
*
|
||||
* Holds if the property `loadProp` should be copied from the object `pred` to the property `storeProp` of object `succ`.
|
||||
*/
|
||||
predicate loadStoreStep(
|
||||
DataFlow::Node pred, DataFlow::Node succ, string loadProp, string storeProp
|
||||
) {
|
||||
none()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A data flow edge that should be added to all data flow configurations in
|
||||
* addition to standard data flow edges.
|
||||
@@ -713,40 +645,6 @@ module SharedFlowStep {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Contributes subclasses of `AdditionalFlowStep` to `SharedFlowStep`.
|
||||
*/
|
||||
private class AdditionalFlowStepAsSharedStep extends SharedFlowStep {
|
||||
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(LegacyAdditionalFlowStep s).step(pred, succ)
|
||||
}
|
||||
|
||||
override predicate step(
|
||||
DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel predlbl,
|
||||
DataFlow::FlowLabel succlbl
|
||||
) {
|
||||
any(LegacyAdditionalFlowStep s).step(pred, succ, predlbl, succlbl)
|
||||
}
|
||||
|
||||
override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
|
||||
any(LegacyAdditionalFlowStep s).storeStep(pred, succ, prop)
|
||||
}
|
||||
|
||||
override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
|
||||
any(LegacyAdditionalFlowStep s).loadStep(pred, succ, prop)
|
||||
}
|
||||
|
||||
override predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
|
||||
any(LegacyAdditionalFlowStep s).loadStoreStep(pred, succ, prop)
|
||||
}
|
||||
|
||||
override predicate loadStoreStep(
|
||||
DataFlow::Node pred, DataFlow::Node succ, string loadProp, string storeProp
|
||||
) {
|
||||
any(LegacyAdditionalFlowStep s).loadStoreStep(pred, succ, loadProp, storeProp)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A collection of pseudo-properties that are used in multiple files.
|
||||
*
|
||||
|
||||
@@ -320,14 +320,6 @@ module TaintTracking {
|
||||
any(SharedTaintStep step).heuristicStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred -> succ` is an edge contributed by an `AdditionalTaintStep` instance.
|
||||
*/
|
||||
cached
|
||||
predicate legacyAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(InternalAdditionalTaintStep step).step(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Public taint step relations.
|
||||
*/
|
||||
@@ -441,7 +433,6 @@ module TaintTracking {
|
||||
* Holds if `pred -> succ` is an edge used by all taint-tracking configurations.
|
||||
*/
|
||||
predicate sharedTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
Cached::legacyAdditionalTaintStep(pred, succ) or
|
||||
Cached::genericStep(pred, succ) or
|
||||
Cached::heuristicStep(pred, succ) or
|
||||
uriStep(pred, succ) or
|
||||
@@ -456,31 +447,6 @@ module TaintTracking {
|
||||
promiseStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED. Subclasses should extend `SharedTaintStep` instead, unless the subclass
|
||||
* is part of a query, in which case it should be moved into the `isAdditionalTaintStep` predicate
|
||||
* of the relevant taint-tracking configuration.
|
||||
* Other uses of the `step` relation in this class should instead use the `TaintTracking::sharedTaintStep`
|
||||
* predicate.
|
||||
*
|
||||
* A taint-propagating data flow edge that should be added to all taint tracking
|
||||
* configurations in addition to standard data flow edges.
|
||||
*
|
||||
* Note: For performance reasons, all subclasses of this class should be part
|
||||
* of the standard library. Override `Configuration::isAdditionalTaintStep`
|
||||
* for analysis-specific taint steps.
|
||||
*/
|
||||
deprecated class AdditionalTaintStep = InternalAdditionalTaintStep;
|
||||
|
||||
/** Internal version of `AdditionalTaintStep` that won't trigger deprecation warnings. */
|
||||
abstract private class InternalAdditionalTaintStep extends DataFlow::Node {
|
||||
/**
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge.
|
||||
*/
|
||||
abstract predicate step(DataFlow::Node pred, DataFlow::Node succ);
|
||||
}
|
||||
|
||||
/** Gets a data flow node referring to the client side URL. */
|
||||
private DataFlow::SourceNode clientSideUrlRef(DataFlow::TypeTracker t) {
|
||||
t.start() and
|
||||
|
||||
@@ -449,58 +449,3 @@ module SharedTypeTrackingStep {
|
||||
any(SharedTypeTrackingStep s).withoutPropStep(pred, succ, props)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED. Use `SharedTypeTrackingStep` instead.
|
||||
*
|
||||
* A data flow edge that should be followed by type tracking.
|
||||
*
|
||||
* Unlike `AdditionalFlowStep`, this type of edge does not affect
|
||||
* the local data flow graph, and is not used by data-flow configurations.
|
||||
*
|
||||
* Note: For performance reasons, all subclasses of this class should be part
|
||||
* of the standard library. For query-specific steps, consider including the
|
||||
* custom steps in the type-tracking predicate itself.
|
||||
*/
|
||||
deprecated class AdditionalTypeTrackingStep = LegacyTypeTrackingStep;
|
||||
|
||||
// Internal version of AdditionalTypeTrackingStep that we can reference without deprecation warnings.
|
||||
abstract private class LegacyTypeTrackingStep extends DataFlow::Node {
|
||||
/**
|
||||
* Holds if type-tracking should step from `pred` to `succ`.
|
||||
*/
|
||||
predicate step(DataFlow::Node pred, DataFlow::Node succ) { none() }
|
||||
|
||||
/**
|
||||
* Holds if type-tracking should step from `pred` into the `prop` property of `succ`.
|
||||
*/
|
||||
predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }
|
||||
|
||||
/**
|
||||
* Holds if type-tracking should step from the `prop` property of `pred` to `succ`.
|
||||
*/
|
||||
predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
|
||||
|
||||
/**
|
||||
* Holds if type-tracking should step from the `prop` property of `pred` to the same property in `succ`.
|
||||
*/
|
||||
predicate loadStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }
|
||||
}
|
||||
|
||||
private class LegacyStepAsSharedTypeTrackingStep extends SharedTypeTrackingStep {
|
||||
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(LegacyTypeTrackingStep s).step(pred, succ)
|
||||
}
|
||||
|
||||
override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
|
||||
any(LegacyTypeTrackingStep s).storeStep(pred, succ, prop)
|
||||
}
|
||||
|
||||
override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
|
||||
any(LegacyTypeTrackingStep s).loadStep(pred, succ, prop)
|
||||
}
|
||||
|
||||
override predicate loadStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
|
||||
any(LegacyTypeTrackingStep s).loadStoreStep(pred, succ, prop)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4,16 +4,6 @@
|
||||
|
||||
import javascript
|
||||
|
||||
/**
|
||||
* DEPRECATED. Use `TaintTracking::SharedTaintStep` or `TaintTracking::uriStep` instead.
|
||||
*
|
||||
* A taint propagating data flow edge arising from an operation in a URI library.
|
||||
*/
|
||||
abstract deprecated class UriLibraryStep extends DataFlow::ValueNode {
|
||||
/** Holds if `pred -> succ` is a step through a URI library function. */
|
||||
predicate step(DataFlow::Node pred, DataFlow::Node succ) { none() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for `Urijs` */
|
||||
deprecated module urijs = Urijs;
|
||||
|
||||
|
||||
@@ -25,24 +25,6 @@ abstract class SensitiveExpr extends Expr {
|
||||
abstract SensitiveDataClassification getClassification();
|
||||
}
|
||||
|
||||
/** DEPRECATED: Use `SensitiveDataClassification` and helpers instead. */
|
||||
deprecated module SensitiveExpr {
|
||||
/** DEPRECATED: Use `SensitiveDataClassification` instead. */
|
||||
deprecated class Classification = SensitiveDataClassification;
|
||||
|
||||
/** DEPRECATED: Use `SensitiveDataClassification::secret` instead. */
|
||||
deprecated predicate secret = SensitiveDataClassification::secret/0;
|
||||
|
||||
/** DEPRECATED: Use `SensitiveDataClassification::id` instead. */
|
||||
deprecated predicate id = SensitiveDataClassification::id/0;
|
||||
|
||||
/** DEPRECATED: Use `SensitiveDataClassification::password` instead. */
|
||||
deprecated predicate password = SensitiveDataClassification::password/0;
|
||||
|
||||
/** DEPRECATED: Use `SensitiveDataClassification::certificate` instead. */
|
||||
deprecated predicate certificate = SensitiveDataClassification::certificate/0;
|
||||
}
|
||||
|
||||
/** A function call that might produce sensitive data. */
|
||||
class SensitiveCall extends SensitiveExpr, InvokeExpr {
|
||||
SensitiveDataClassification classification;
|
||||
|
||||
@@ -52,13 +52,6 @@ module ClientSideUrlRedirect {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED. Can usually be replaced with `untrustedUrlSubstring`.
|
||||
* Query accesses via `location.hash` or `location.search` are now independent
|
||||
* `RemoteFlowSource` instances, and only substrings of `location` need to be handled via steps.
|
||||
*/
|
||||
deprecated predicate queryAccess = untrustedUrlSubstring/2;
|
||||
|
||||
/**
|
||||
* Holds if `substring` refers to a substring of `base` which is considered untrusted
|
||||
* when `base` is the current URL.
|
||||
|
||||
@@ -52,20 +52,6 @@ deprecated predicate isDocumentUrl(Expr e) { e.flow() = DOM::locationSource() }
|
||||
/** DEPRECATED: Alias for isDocumentUrl */
|
||||
deprecated predicate isDocumentURL = isDocumentUrl/1;
|
||||
|
||||
/**
|
||||
* DEPRECATED. In most cases, a sanitizer based on this predicate can be removed, as
|
||||
* taint tracking no longer step through the properties of the location object by default.
|
||||
*
|
||||
* Holds if `pacc` accesses a part of `document.location` that is
|
||||
* not considered user-controlled, that is, anything except
|
||||
* `href`, `hash` and `search`.
|
||||
*/
|
||||
deprecated predicate isSafeLocationProperty(PropAccess pacc) {
|
||||
exists(string prop | pacc = DOM::locationRef().getAPropertyRead(prop).asExpr() |
|
||||
prop != "href" and prop != "hash" and prop != "search"
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to a DOM method.
|
||||
*/
|
||||
|
||||
@@ -118,15 +118,6 @@ deprecated class RouteHandlerExpressionWithRateLimiter extends Expr {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED. Use `RateLimitingMiddleware` instead.
|
||||
*
|
||||
* A middleware that acts as a rate limiter.
|
||||
*/
|
||||
deprecated class RateLimiter extends Express::RouteHandlerExpr {
|
||||
RateLimiter() { any(RateLimitingMiddleware m).ref().flowsToExpr(this) }
|
||||
}
|
||||
|
||||
/**
|
||||
* The creation of a middleware function that acts as a rate limiter.
|
||||
*/
|
||||
|
||||
@@ -106,16 +106,6 @@ module HeuristicNames {
|
||||
"(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|code)|certain|concert|secretar|accountant|accountab).*"
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `maybeSensitiveRegexp` instead.
|
||||
*/
|
||||
deprecated predicate maybeSensitive = maybeSensitiveRegexp/1;
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `notSensitiveRegexp` instead.
|
||||
*/
|
||||
deprecated predicate notSensitive = notSensitiveRegexp/0;
|
||||
|
||||
/**
|
||||
* Holds if `name` may indicate the presence of sensitive data, and
|
||||
* `name` does not indicate that the data is in fact non-sensitive (for example since
|
||||
|
||||
@@ -11,9 +11,6 @@ predicate configStep(Node pred, Node succ) {
|
||||
)
|
||||
}
|
||||
|
||||
class CustomStep extends AdditionalTypeTrackingStep, Node {
|
||||
override predicate step(Node pred, Node succ) {
|
||||
pred = this and
|
||||
configStep(pred, succ)
|
||||
}
|
||||
class CustomStep extends SharedTypeTrackingStep {
|
||||
override predicate step(Node pred, Node succ) { configStep(pred, succ) }
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user