Merge pull request #13228 from jcogs33/jcogs33/deprecated-sink-error-message

jcogs33 · web-flow · commit 64830809a6c4 · 2023-06-02T13:44:18.000-04:00
Java: add error message for outdated sink kinds in `getInvalidModelKind`
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -265,13 +265,57 @@ module ModelValidation {
     )
   }
 
+  private class OutdatedSinkKind extends string {
+    OutdatedSinkKind() {
+      this =
+        [
+          "sql", "url-redirect", "xpath", "ssti", "logging", "groovy", "jexl", "mvel", "xslt",
+          "ldap", "pending-intent-sent", "intent-start", "set-hostname-verifier",
+          "header-splitting", "xss", "write-file", "create-file", "read-file", "open-url",
+          "jdbc-url"
+        ]
+    }
+
+    private string replacementKind() {
+      this = ["sql", "xpath", "groovy", "jexl", "mvel", "xslt", "ldap"] and
+      result = this + "-injection"
+      or
+      this = "url-redirect" and result = "url-redirection"
+      or
+      this = "ssti" and result = "template-injection"
+      or
+      this = "logging" and result = "log-injection"
+      or
+      this = "pending-intent-sent" and result = "pending-intents"
+      or
+      this = "intent-start" and result = "intent-redirection"
+      or
+      this = "set-hostname-verifier" and result = "hostname-verification"
+      or
+      this = "header-splitting" and result = "response-splitting"
+      or
+      this = "xss" and result = "html-injection\" or \"js-injection"
+      or
+      this = "write-file" and result = "file-content-store"
+      or
+      this = ["create-file", "read-file"] and result = "path-injection"
+      or
+      this = ["open-url", "jdbc-url"] and result = "request-forgery"
+    }
+
+    string outdatedMessage() {
+      result =
+        "The kind \"" + this + "\" is outdated. Use \"" + this.replacementKind() + "\" instead."
+    }
+  }
+
   private string getInvalidModelKind() {
     exists(string kind | summaryModel(_, _, _, _, _, _, _, _, kind, _) |
       not kind = ["taint", "value"] and
       result = "Invalid kind \"" + kind + "\" in summary model."
     )
     or
-    exists(string kind | sinkModel(_, _, _, _, _, _, _, kind, _) |
+    exists(string kind, string msg | sinkModel(_, _, _, _, _, _, _, kind, _) |
       not kind =
         [
           "request-forgery", "jndi-injection", "ldap-injection", "sql-injection", "log-injection",
@@ -283,7 +327,11 @@ module ModelValidation {
         ] and
       not kind.matches("regex-use%") and
       not kind.matches("qltest%") and
-      result = "Invalid kind \"" + kind + "\" in sink model."
+      msg = "Invalid kind \"" + kind + "\" in sink model." and
+      // The part of this message that refers to outdated sink kinds can be deleted after June 1st, 2024.
+      if kind instanceof OutdatedSinkKind
+      then result = msg + " " + kind.(OutdatedSinkKind).outdatedMessage()
+      else result = msg
     )
     or
     exists(string kind | sourceModel(_, _, _, _, _, _, _, kind, _) |
