Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit bd0137a

Browse files
egregius313egregius313
committed
Deprecated direct use of RemoteFlowSource and use ThreatModelFlowSource instead
1 parent 051d63a commit bd0137a

18 files changed

Lines changed: 150 additions & 55 deletions

csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,7 @@
33
*/
44

55
import csharp
6-
private import semmle.code.csharp.security.dataflow.flowsources.Remote
7-
private import semmle.code.csharp.security.dataflow.flowsources.Local
6+
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
87
private import semmle.code.csharp.frameworks.system.codedom.Compiler
98
private import semmle.code.csharp.security.Sanitizers
109
private import semmle.code.csharp.dataflow.internal.ExternalFlow
@@ -55,11 +54,22 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
5554
*/
5655
module CodeInjection = TaintTracking::Global<CodeInjectionConfig>;
5756

58-
/** A source of remote user input. */
59-
class RemoteSource extends Source instanceof RemoteFlowSource { }
57+
/**
58+
* DEPRECATED: Use `ThreatModelSource` instead.
59+
*
60+
* A source of remote user input.
61+
*/
62+
deprecated class RemoteSource extends Source instanceof RemoteFlowSource { }
63+
64+
/**
65+
* DEPRECATED: Use `ThreatModelSource` instead.
66+
*
67+
* A source of local user input.
68+
*/
69+
deprecated class LocalSource extends Source instanceof LocalFlowSource { }
6070

61-
/** A source of local user input. */
62-
class LocalSource extends Source instanceof LocalFlowSource { }
71+
/** A source supported by the current threat model. */
72+
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
6373

6474
private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
6575

csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
*/
44

55
import csharp
6-
private import semmle.code.csharp.security.dataflow.flowsources.Remote
6+
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
77
private import semmle.code.csharp.frameworks.system.Diagnostics
88
private import semmle.code.csharp.security.Sanitizers
99
private import semmle.code.csharp.dataflow.internal.ExternalFlow
@@ -64,8 +64,15 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
6464
*/
6565
module CommandInjection = TaintTracking::Global<CommandInjectionConfig>;
6666

67-
/** A source of remote user input. */
68-
class RemoteSource extends Source instanceof RemoteFlowSource { }
67+
/**
68+
* DEPRECATED: Use `ThreatModelSource` instead.
69+
*
70+
* A source of remote user input.
71+
*/
72+
deprecated class RemoteSource extends Source instanceof RemoteFlowSource { }
73+
74+
/** A source supported by the current threat model. */
75+
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
6976

7077
/** Command Injection sinks defined through Models as Data. */
7178
private class ExternalCommandInjectionExprSink extends Sink {

csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
import csharp
77
private import semmle.code.csharp.controlflow.Guards
88
private import semmle.code.csharp.controlflow.BasicBlocks
9-
private import semmle.code.csharp.security.dataflow.flowsources.Remote
9+
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
1010
private import semmle.code.csharp.frameworks.System
1111
private import semmle.code.csharp.frameworks.system.Net
1212
private import semmle.code.csharp.security.SensitiveActions
@@ -60,9 +60,16 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig {
6060
*/
6161
module ConditionalBypass = TaintTracking::Global<ConditionalBypassConfig>;
6262

63-
/** A source of remote user input. */
63+
/**
64+
* DEPRECATED: Use `ThreatModelSource` instead.
65+
*
66+
* A source of remote user input.
67+
*/
6468
class RemoteSource extends Source instanceof RemoteFlowSource { }
6569

70+
/** A source supported by the current threat model. */
71+
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
72+
6673
/** The result of a reverse dns may be user-controlled. */
6774
class ReverseDnsSource extends Source {
6875
ReverseDnsSource() {

csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
*/
44

55
import csharp
6-
private import semmle.code.csharp.security.dataflow.flowsources.Remote
6+
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
77
private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink
88
private import semmle.code.csharp.security.PrivateData
99

csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55

66
import csharp
77
private import semmle.code.csharp.commons.QualifiedName
8-
private import semmle.code.csharp.dataflow.flowsources.Remote
8+
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
99
private import semmle.code.csharp.frameworks.System
1010
private import semmle.code.csharp.dataflow.FlowSummary
1111

csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
*/
55

66
import csharp
7-
private import semmle.code.csharp.security.dataflow.flowsources.Remote
7+
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
88
private import semmle.code.csharp.frameworks.system.DirectoryServices
99
private import semmle.code.csharp.frameworks.system.directoryservices.Protocols
1010
private import semmle.code.csharp.security.Sanitizers
@@ -66,8 +66,15 @@ module LdapInjectionConfig implements DataFlow::ConfigSig {
6666
*/
6767
module LdapInjection = TaintTracking::Global<LdapInjectionConfig>;
6868

69-
/** A source of remote user input. */
70-
class RemoteSource extends Source instanceof RemoteFlowSource { }
69+
/**
70+
* DEPRECATED: Use `ThreadModelSource` instead.
71+
*
72+
* A source of remote user input.
73+
*/
74+
deprecated class RemoteSource extends Source instanceof RemoteFlowSource { }
75+
76+
/** A source supported by the current threat model. */
77+
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
7178

7279
/** LDAP sinks defined through Models as Data. */
7380
private class ExternalLdapExprSink extends Sink {

csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
*/
44

55
import csharp
6-
private import semmle.code.csharp.security.dataflow.flowsources.Remote
6+
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
77
private import semmle.code.csharp.frameworks.System
88
private import semmle.code.csharp.frameworks.system.text.RegularExpressions
99
private import semmle.code.csharp.security.Sanitizers
@@ -57,7 +57,7 @@ private module LogForgingConfig implements DataFlow::ConfigSig {
5757
module LogForging = TaintTracking::Global<LogForgingConfig>;
5858

5959
/** A source of remote user input. */
60-
private class RemoteSource extends Source instanceof RemoteFlowSource { }
60+
private class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
6161

6262
private class HtmlSanitizer extends Sanitizer {
6363
HtmlSanitizer() { this.asExpr() instanceof HtmlSanitizedExpr }

csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
*/
55

66
import csharp
7-
private import semmle.code.csharp.security.dataflow.flowsources.Remote
7+
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
88
private import semmle.code.csharp.frameworks.system.Xml
99
private import semmle.code.csharp.security.Sanitizers
1010

@@ -62,8 +62,17 @@ private module MissingXmlValidationConfig implements DataFlow::ConfigSig {
6262
*/
6363
module MissingXmlValidation = TaintTracking::Global<MissingXmlValidationConfig>;
6464

65-
/** A source of remote user input. */
66-
class RemoteSource extends Source instanceof RemoteFlowSource { }
65+
/**
66+
* DEPRECATED: Use `ThreatModelFlowSource` instead.
67+
*
68+
* A source of remote user input.
69+
*/
70+
deprecated class RemoteSource extends Source instanceof RemoteFlowSource { }
71+
72+
/**
73+
* A source supported by the current threat model.
74+
*/
75+
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
6776

6877
/**
6978
* The input argument to a call to `XmlReader.Create` where the input will not be validated against

csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55

66
import csharp
77
private import semmle.code.csharp.dataflow.DataFlow2
8-
private import semmle.code.csharp.security.dataflow.flowsources.Remote
8+
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
99
private import semmle.code.csharp.frameworks.system.text.RegularExpressions
1010
private import semmle.code.csharp.security.Sanitizers
1111

@@ -55,8 +55,15 @@ private module ReDoSConfig implements DataFlow::ConfigSig {
5555
*/
5656
module ReDoS = TaintTracking::Global<ReDoSConfig>;
5757

58-
/** A source of remote user input. */
59-
class RemoteSource extends Source instanceof RemoteFlowSource { }
58+
/**
59+
* DEPRECATED: Use `ThreatModelSource` instead.
60+
*
61+
* A source of remote user input.
62+
*/
63+
deprecated class RemoteSource extends Source instanceof RemoteFlowSource { }
64+
65+
/** A source supported by the current threat model. */
66+
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
6067

6168
/**
6269
* An expression that represents a regular expression with potential exponential behavior.

csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
*/
55

66
import csharp
7-
private import semmle.code.csharp.security.dataflow.flowsources.Remote
7+
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
88
private import semmle.code.csharp.frameworks.system.text.RegularExpressions
99
private import semmle.code.csharp.security.Sanitizers
1010

@@ -54,8 +54,15 @@ private module RegexInjectionConfig implements DataFlow::ConfigSig {
5454
*/
5555
module RegexInjection = TaintTracking::Global<RegexInjectionConfig>;
5656

57-
/** A source of remote user input. */
58-
class RemoteSource extends Source instanceof RemoteFlowSource { }
57+
/**
58+
* DEPRECATED: Use `ThreatModelSource` instead.
59+
*
60+
* A source of remote user input.
61+
*/
62+
deprecated class RemoteSource extends Source instanceof RemoteFlowSource { }
63+
64+
/** A source supported by the current threat model. */
65+
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
5966

6067
/**
6168
* A `pattern` argument to a construction of a `Regex`.

0 commit comments

Comments
 (0)