Merge pull request #16362 from michaelnebel/java/removelocalqueries

Java: Remove local query variants.

Author: michaelnebel

java/ql/automodel/src/AutomodelAlertSinkUtil.qll

@@ -159,11 +159,7 @@ predicate sinkModelTallyPerQuery(string queryName, int alertCount, SinkModel sin
   SinkTallier<RequestForgeryConfig>::getSinkModelCount(alertCount, sinkModel)
   or
   queryName = "java/command-line-injection" and
-  exists(int c1, int c2 |
-    SinkTallier<RemoteUserInputToArgumentToExecFlowConfig>::getSinkModelCount(c1, sinkModel) and
-    SinkTallier<LocalUserInputToArgumentToExecFlowConfig>::getSinkModelCount(c2, sinkModel) and
-    alertCount = c1 + c2
-  )
+  SinkTallier<InputToArgumentToExecFlowConfig>::getSinkModelCount(alertCount, sinkModel)
   or
   queryName = "java/concatenated-sql-query" and
   SinkTallier<UncontrolledStringBuilderSourceFlowConfig>::getSinkModelCount(alertCount, sinkModel)

java/ql/lib/semmle/code/java/security/ArithmeticTaintedLocalQuery.qll

@@ -5,9 +5,11 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ArithmeticCommon
 
 /**
+ * DEPRECATED: Use `ArithmeticOverflowConfig` instead.
+ *
  * A taint-tracking configuration to reason about arithmetic overflow using local-user-controlled data.
  */
-module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
+deprecated module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
@@ -18,15 +20,17 @@ module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `ArithmeticOverflow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for arithmetic overflow using local-user-controlled data.
  */
-module ArithmeticTaintedLocalOverflowFlow =
+deprecated module ArithmeticTaintedLocalOverflowFlow =
   TaintTracking::Global<ArithmeticTaintedLocalOverflowConfig>;
 
 /**
  * A taint-tracking configuration to reason about arithmetic underflow using local-user-controlled data.
  */
-module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
+deprecated module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
@@ -37,7 +41,9 @@ module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `ArithmeticUnderflow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for arithmetic underflow using local-user-controlled data.
  */
-module ArithmeticTaintedLocalUnderflowFlow =
+deprecated module ArithmeticTaintedLocalUnderflowFlow =
   TaintTracking::Global<ArithmeticTaintedLocalUnderflowConfig>;

java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll

@@ -1,11 +1,11 @@
-/** Provides taint-tracking configurations to reason about arithmetic with unvalidated user input. */
+/** Provides taint-tracking configurations to reason about arithmetic with unvalidated input. */
 
 import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ArithmeticCommon
 
-/** A taint-tracking configuration to reason about overflow from unvalidated user input. */
-module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig {
+/** A taint-tracking configuration to reason about overflow from unvalidated input. */
+module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
@@ -15,8 +15,13 @@ module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
-/** A taint-tracking configuration to reason about underflow from unvalidated user input. */
-module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
+/**
+ * DEPRECATED: Use `ArithmeticOverflowConfig` instead.
+ */
+deprecated module RemoteUserInputOverflowConfig = ArithmeticOverflowConfig;
+
+/** A taint-tracking configuration to reason about underflow from unvalidated input. */
+module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
@@ -26,8 +31,23 @@ module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
-/** Taint-tracking flow for overflow from unvalidated user input. */
-module RemoteUserInputOverflow = TaintTracking::Global<RemoteUserInputOverflowConfig>;
+/**
+ * DEPRECATED: Use `ArithmeticUnderflowConfig` instead.
+ */
+deprecated module RemoteUserInputUnderflowConfig = ArithmeticUnderflowConfig;
+
+/** Taint-tracking flow for overflow from unvalidated input. */
+module ArithmeticOverflow = TaintTracking::Global<ArithmeticOverflowConfig>;
+
+/**
+ * DEPRECATED: Use `ArithmeticOverflow` instead.
+ */
+deprecated module RemoteUserInputOverflow = ArithmeticOverflow;
+
+/** Taint-tracking flow for underflow from unvalidated input. */
+module ArithmeticUnderflow = TaintTracking::Global<ArithmeticUnderflowConfig>;
 
-/** Taint-tracking flow for underflow from unvalidated user input. */
-module RemoteUserInputUnderflow = TaintTracking::Global<RemoteUserInputUnderflowConfig>;
+/**
+ * DEPRECATED: Use `ArithmeticUnderflow` instead.
+ */
+deprecated module RemoteUserInputUnderflow = ArithmeticUnderflow;

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -48,7 +48,7 @@ private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer
 /**
  * A taint-tracking configuration for unvalidated user input that is used to run an external process.
  */
-module RemoteUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
+module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
@@ -61,15 +61,24 @@ module RemoteUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig
 }
 
 /**
- * Taint-tracking flow for unvalidated user input that is used to run an external process.
+ * DEPRECATED: Use `InputToArgumentToExecFlowConfig` instead.
  */
-module RemoteUserInputToArgumentToExecFlow =
-  TaintTracking::Global<RemoteUserInputToArgumentToExecFlowConfig>;
+deprecated module RemoteUserInputToArgumentToExecFlowConfig = InputToArgumentToExecFlowConfig;
+
+/**
+ * Taint-tracking flow for unvalidated input that is used to run an external process.
+ */
+module InputToArgumentToExecFlow = TaintTracking::Global<InputToArgumentToExecFlowConfig>;
+
+/**
+ * DEPRECATED: Use `InputToArgumentToExecFlow` instead.
+ */
+deprecated module RemoteUserInputToArgumentToExecFlow = InputToArgumentToExecFlow;
 
 /**
  * A taint-tracking configuration for unvalidated local user input that is used to run an external process.
  */
-module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
+deprecated module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
@@ -82,9 +91,11 @@ module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `InputToArgumentToExecFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for unvalidated local user input that is used to run an external process.
  */
-module LocalUserInputToArgumentToExecFlow =
+deprecated module LocalUserInputToArgumentToExecFlow =
   TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
 
 /**
@@ -93,10 +104,9 @@ module LocalUserInputToArgumentToExecFlow =
  * reporting overlapping results.
  */
 predicate execIsTainted(
-  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
+  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
 ) {
-  RemoteUserInputToArgumentToExecFlow::flowPath(source, sink) and
+  InputToArgumentToExecFlow::flowPath(source, sink) and
   argumentToExec(execArg, sink.getNode())
 }
 

java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll

@@ -7,7 +7,7 @@ private import semmle.code.java.security.CommandArguments
 private import semmle.code.java.security.Sanitizers
 
 /** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
-module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
+deprecated module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
@@ -20,6 +20,8 @@ module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRCATED: Unused.
+ *
  * Taint-tracking flow for use of externally controlled strings to make command line commands.
  */
-module ExecTaintedLocalFlow = TaintTracking::Global<ExecTaintedLocalConfig>;
+deprecated module ExecTaintedLocalFlow = TaintTracking::Global<ExecTaintedLocalConfig>;

java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll

@@ -5,7 +5,7 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.StringFormat
 
 /** A taint-tracking configuration to reason about externally-controlled format strings from local sources. */
-module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
+deprecated module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) {
@@ -18,7 +18,9 @@ module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSi
 }
 
 /**
+ * DEPRECATED: Use `ExternallyControlledFormatStringFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for externally-controlled format strings from local sources.
  */
-module ExternallyControlledFormatStringLocalFlow =
+deprecated module ExternallyControlledFormatStringLocalFlow =
   TaintTracking::Global<ExternallyControlledFormatStringLocalConfig>;

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionLocalQuery.qll

@@ -7,7 +7,7 @@ private import semmle.code.java.dataflow.FlowSources
 /**
  * A taint-tracking configuration to reason about improper validation of local user-provided size used for array construction.
  */
-module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig {
+deprecated module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) {
@@ -16,7 +16,9 @@ module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::Con
 }
 
 /**
+ * DEPRECATED: Use `ImproperValidationOfArrayConstructionFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for improper validation of local user-provided size used for array construction.
  */
-module ImproperValidationOfArrayConstructionLocalFlow =
+deprecated module ImproperValidationOfArrayConstructionLocalFlow =
   TaintTracking::Global<ImproperValidationOfArrayConstructionLocalConfig>;

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexLocalQuery.qll

@@ -7,7 +7,7 @@ private import semmle.code.java.dataflow.FlowSources
 /**
  * A taint-tracking configuration to reason about improper validation of local user-provided array index.
  */
-module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig {
+deprecated module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) {
@@ -20,7 +20,9 @@ module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig
 }
 
 /**
+ * DEPRECATED: Use `ImproperValidationOfArrayIndexFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for improper validation of local user-provided array index.
  */
-module ImproperValidationOfArrayIndexLocalFlow =
+deprecated module ImproperValidationOfArrayIndexLocalFlow =
   TaintTracking::Global<ImproperValidationOfArrayIndexLocalConfig>;

java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll

@@ -113,7 +113,7 @@ module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
  * A taint-tracking configuration for reasoning about local user input that is
  * used in a numeric cast.
  */
-module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
+deprecated module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) {
@@ -134,6 +134,8 @@ module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `NumericCastFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for local user input that is used in a numeric cast.
  */
-module NumericCastLocalFlow = TaintTracking::Global<NumericCastLocalFlowConfig>;
+deprecated module NumericCastLocalFlow = TaintTracking::Global<NumericCastLocalFlowConfig>;

java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll

@@ -7,7 +7,7 @@ private import semmle.code.java.security.ResponseSplitting
 /**
  * A taint-tracking configuration to reason about response splitting vulnerabilities from local user input.
  */
-module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
+deprecated module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
@@ -32,6 +32,8 @@ module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `ResponseSplittingFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for response splitting vulnerabilities from local user input.
  */
-module ResponseSplittingLocalFlow = TaintTracking::Global<ResponseSplittingLocalConfig>;
+deprecated module ResponseSplittingLocalFlow = TaintTracking::Global<ResponseSplittingLocalConfig>;

java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll

@@ -12,7 +12,7 @@ private import semmle.code.java.security.Sanitizers
  * A taint-tracking configuration for reasoning about local user input that is
  * used in a SQL query.
  */
-module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
+deprecated module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
@@ -25,7 +25,9 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `QueryInjectionFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for local user input that is used in a SQL query.
  */
-module LocalUserInputToQueryInjectionFlow =
+deprecated module LocalUserInputToQueryInjectionFlow =
   TaintTracking::Global<LocalUserInputToQueryInjectionFlowConfig>;

java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll

@@ -80,7 +80,7 @@ module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
 /**
  * A taint-tracking configuration for tracking flow from local user input to the creation of a path.
  */
-module TaintedPathLocalConfig implements DataFlow::ConfigSig {
+deprecated module TaintedPathLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof TaintedPathSink }
@@ -95,5 +95,9 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig {
   }
 }
 
-/** Tracks flow from local user input to the creation of a path. */
-module TaintedPathLocalFlow = TaintTracking::Global<TaintedPathLocalConfig>;
+/**
+ * DEPRECATED: Use `TaintedPathFlow` instead and configure threat model sources to include `local`.
+ *
+ * Tracks flow from local user input to the creation of a path.
+ */
+deprecated module TaintedPathLocalFlow = TaintTracking::Global<TaintedPathLocalConfig>;

java/ql/lib/semmle/code/java/security/UrlRedirectLocalQuery.qll

@@ -7,13 +7,15 @@ private import semmle.code.java.security.UrlRedirect
 /**
  * A taint-tracking configuration to reason about URL redirection from local sources.
  */
-module UrlRedirectLocalConfig implements DataFlow::ConfigSig {
+deprecated module UrlRedirectLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
 }
 
 /**
+ * DEPRECATED: Use `UrlRedirectFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for URL redirection from local sources.
  */
-module UrlRedirectLocalFlow = TaintTracking::Global<UrlRedirectLocalConfig>;
+deprecated module UrlRedirectLocalFlow = TaintTracking::Global<UrlRedirectLocalConfig>;

java/ql/lib/semmle/code/java/security/XssLocalQuery.qll

@@ -8,7 +8,7 @@ private import semmle.code.java.security.XSS
 /**
  * A taint-tracking configuration for reasoning about cross-site scripting vulnerabilities from a local source.
  */
-module XssLocalConfig implements DataFlow::ConfigSig {
+deprecated module XssLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
@@ -23,6 +23,8 @@ module XssLocalConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `XssFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for cross-site scripting vulnerabilities from a local source.
  */
-module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
+deprecated module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;

java/ql/lib/semmle/code/java/security/XxeLocalQuery.qll

@@ -27,7 +27,7 @@ deprecated class XxeLocalConfig extends TaintTracking::Configuration {
 /**
  * A taint-tracking configuration for unvalidated local user input that is used in XML external entity expansion.
  */
-module XxeLocalConfig implements DataFlow::ConfigSig {
+deprecated module XxeLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
@@ -40,6 +40,8 @@ module XxeLocalConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `XxeFlow` instead and configure threat model sources to include `local`.
+ *
  * Detect taint flow of unvalidated local user input that is used in XML external entity expansion.
  */
-module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
+deprecated module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;