mirror of
https://github.com/github/codeql.git
synced 2026-02-21 17:33:40 +01:00
5ec8e5dd30
Naming in other languages: - `SourceNode` (for QL only modeling) - `ThreatModelFlowSource` (for active sources from QL or data-extensions) However, since we use `LocalSourceNode` in Python, and `SourceNode` in JS (for local source nodes), it seems a bit confusing to follow the same naming convention as other languages, and instead I came up with new names.
32 lines
1.0 KiB
Plaintext
32 lines
1.0 KiB
Plaintext
/**
|
|
* Provides an extension point for modeling user-controlled data.
|
|
* Such data is often used as data-flow sources in security queries.
|
|
*/
|
|
|
|
private import python
|
|
private import semmle.python.dataflow.new.DataFlow
|
|
// Need to import since frameworks can extend `RemoteFlowSource::Range`
|
|
private import semmle.python.Frameworks
|
|
private import semmle.python.Concepts
|
|
|
|
/**
|
|
* A data flow source of remote user input.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `RemoteFlowSource::Range` instead.
|
|
*/
|
|
class RemoteFlowSource extends ThreatModelSource instanceof RemoteFlowSource::Range { }
|
|
|
|
/** Provides a class for modeling new sources of remote user input. */
|
|
module RemoteFlowSource {
|
|
/**
|
|
* A data flow source of remote user input.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `RemoteFlowSource` instead.
|
|
*/
|
|
abstract class Range extends ThreatModelSource::Range {
|
|
override string getThreatModel() { result = "remote" }
|
|
}
|
|
}
|