Ruby: renames for rb/insecure-download

alexrford · alexrford · commit a8ad0d8ff5ad · 2023-09-03T17:20:04.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll
@@ -2,7 +2,7 @@
  * Provides a dataflow configuration for reasoning about the download of sensitive file through insecure connection.
  *
  * Note, for performance reasons: only import this file if
- * `InsecureDownload::Configuration` is needed, otherwise
+ * `InsecureDownloadFlow` is needed, otherwise
  * `InsecureDownloadCustomizations` should be imported instead.
  */
 
@@ -12,6 +12,8 @@ import InsecureDownloadCustomizations::InsecureDownload
 
 /**
  * A taint tracking configuration for download of sensitive file through insecure connection.
+ *
+ * DEPRECATED: Use `InsecureDownloadFlow`.
  */
 deprecated class Configuration extends DataFlow::Configuration {
   Configuration() { this = "InsecureDownload" }
@@ -30,10 +32,7 @@ deprecated class Configuration extends DataFlow::Configuration {
   }
 }
 
-/**
- * A taint tracking configuration for download of sensitive file through insecure connection.
- */
-module Config implements DataFlow::StateConfigSig {
+private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
   class FlowState = string;
 
   predicate isSource(DataFlow::Node source, DataFlow::FlowState label) {
@@ -47,4 +46,13 @@ module Config implements DataFlow::StateConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 }
 
-module Flow = DataFlow::GlobalWithState<Config>;
+/**
+ * Taint-tracking for download of sensitive file through insecure connection.
+ */
+module InsecureDownloadFlow = DataFlow::GlobalWithState<InsecureDownloadConfig>;
+
+/** DEPRECATED: Use `InsecureDownloadConfig` */
+deprecated module Config = InsecureDownloadConfig;
+
+/** DEPRECATED: Use `InsecureDownloadFlow` */
+deprecated module Flow = InsecureDownloadFlow;
diff --git a/ruby/ql/src/queries/security/cwe-829/InsecureDownload.ql b/ruby/ql/src/queries/security/cwe-829/InsecureDownload.ql
@@ -11,12 +11,10 @@
  *       external/cwe/cwe-829
  */
 
-import codeql.ruby.AST
-import codeql.ruby.DataFlow
 import codeql.ruby.security.InsecureDownloadQuery
-import Flow::PathGraph
+import InsecureDownloadFlow::PathGraph
 
-from Flow::PathNode source, Flow::PathNode sink
-where Flow::flowPath(source, sink)
+from InsecureDownloadFlow::PathNode source, InsecureDownloadFlow::PathNode sink
+where InsecureDownloadFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "$@ of sensitive file from $@.",
   sink.getNode().(Sink).getDownloadCall(), "Download", source.getNode(), "HTTP source"
diff --git a/ruby/ql/test/query-tests/security/cwe-829/InsecureDownload.ql b/ruby/ql/test/query-tests/security/cwe-829/InsecureDownload.ql
@@ -1,7 +1,5 @@
-import codeql.ruby.AST
-import codeql.ruby.DataFlow
 import codeql.ruby.security.InsecureDownloadQuery
-import Flow::PathGraph
+import InsecureDownloadFlow::PathGraph
 import TestUtilities.InlineExpectationsTest
 import TestUtilities.InlineFlowTestUtil
 
@@ -10,7 +8,7 @@ module FlowTest implements TestSig {
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "BAD" and
-    exists(DataFlow::Node src, DataFlow::Node sink | Flow::flow(src, sink) |
+    exists(DataFlow::Node src, DataFlow::Node sink | InsecureDownloadFlow::flow(src, sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       if exists(getSourceArgString(src)) then value = getSourceArgString(src) else value = ""
@@ -20,6 +18,6 @@ module FlowTest implements TestSig {
 
 import MakeTest<FlowTest>
 
-from Flow::PathNode source, Flow::PathNode sink
-where Flow::flowPath(source, sink)
+from InsecureDownloadFlow::PathNode source, InsecureDownloadFlow::PathNode sink
+where InsecureDownloadFlow::flowPath(source, sink)
 select sink, source, sink, "$@", source, source.toString()
