diff --git a/csharp/ql/lib/change-notes/2024-09-10-ActiveThreatModelSource.md b/csharp/ql/lib/change-notes/2024-09-10-ActiveThreatModelSource.md new file mode 100644 index 000000000000..a51e3e1deaf0 --- /dev/null +++ b/csharp/ql/lib/change-notes/2024-09-10-ActiveThreatModelSource.md @@ -0,0 +1,4 @@ +--- +category: deprecated +--- +* The class `ThreatModelFlowSource` has been renamed to `ActiveThreatModelSource` to more clearly reflect it only contains the currently active threat model sources. `ThreatModelFlowSource` has been marked as deprecated. diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll index 858adcc22687..2ea422855ad8 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll @@ -18,7 +18,7 @@ private predicate needsChecks(ActionMethod m) { m.isEdit() and not m.isAdmin() } * that may indicate that it's used as the ID for some resource */ private predicate hasIdParameter(ActionMethod m) { - exists(ThreatModelFlowSource src | src.getEnclosingCallable() = m | + exists(ActiveThreatModelSource src | src.getEnclosingCallable() = m | src.asParameter().getName().toLowerCase().matches(["%id", "%idx"]) or // handle cases like `Request.QueryString["Id"]` diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll index 2b55697ebda9..8ec9122864fb 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll @@ -55,7 +55,7 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource deprecated class LocalSource extends DataFlow::Node instanceof LocalFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { } diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll index 24c80c07f894..84352389c419 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll @@ -57,7 +57,7 @@ module CommandInjection = TaintTracking::Global; deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** Command Injection sinks defined through Models as Data. */ private class ExternalCommandInjectionExprSink extends Sink { diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll index 2bc10dead22b..f92bb0d2f44a 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll @@ -54,7 +54,7 @@ module ConditionalBypass = TaintTracking::Global; deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** The result of a reverse dns may be user-controlled. */ class ReverseDnsSource extends Source { diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll index 69a1823a4554..f1a64f6810b8 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll @@ -73,14 +73,14 @@ class ExternalApiDataNode extends DataFlow::Node { } } -/** A configuration for tracking flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. */ +/** A configuration for tracking flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s. */ private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } } -/** A module for tracking flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. */ +/** A module for tracking flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s. */ module RemoteSourceToExternalApi = TaintTracking::Global; /** A node representing untrusted data being passed to an external API. */ diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll index bdba76bfb5cb..e2e96034c41e 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll @@ -60,7 +60,7 @@ module LdapInjection = TaintTracking::Global; deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** LDAP sinks defined through Models as Data. */ private class ExternalLdapExprSink extends Sink { diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll index 7c4429bcbf84..8181c9bcb74a 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll @@ -43,7 +43,7 @@ private module LogForgingConfig implements DataFlow::ConfigSig { module LogForging = TaintTracking::Global; /** A source of remote user input. */ -private class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +private class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } private class HtmlSanitizer extends Sanitizer { HtmlSanitizer() { this.asExpr() instanceof HtmlSanitizedExpr } diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll index 4e14bed2c33e..3401dab7ea24 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll @@ -48,7 +48,7 @@ private module MissingXmlValidationConfig implements DataFlow::ConfigSig { module MissingXmlValidation = TaintTracking::Global; /** - * DEPRECATED: Use `ThreatModelFlowSource` instead. + * DEPRECATED: Use `ActiveThreatModelSource` instead. * * A source of remote user input. */ @@ -57,7 +57,7 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource /** * A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** * The input argument to a call to `XmlReader.Create` where the input will not be validated against diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll index f6225ce36bd0..5addc03bd88b 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll @@ -49,7 +49,7 @@ module ReDoS = TaintTracking::Global; deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** * An expression that represents a regular expression with potential exponential behavior. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll index 8affdb1e9dd6..620c07a9ea21 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll @@ -48,7 +48,7 @@ module RegexInjection = TaintTracking::Global; deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** * A `pattern` argument to a construction of a `Regex`. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll index dd1c088042da..40814729e559 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll @@ -54,7 +54,7 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource deprecated class LocalSource extends DataFlow::Node instanceof LocalFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** An argument to the `ConnectionString` property on a data connection class. */ class SqlConnectionStringSink extends Sink { diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll index 5a900461af70..cc7b61c31f21 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll @@ -65,7 +65,7 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource deprecated class LocalSource extends DataFlow::Node instanceof LocalFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** An SQL expression passed to an API call that executes SQL. */ class SqlInjectionExprSink extends Sink { diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll index 21c3cbdf9421..bdc7245aeb2d 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll @@ -50,7 +50,7 @@ module TaintedPath = TaintTracking::Global; deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** * A path argument to a `File` method call. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll index 51aef35272f4..009e1ab73c1d 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll @@ -49,7 +49,7 @@ abstract private class ConstructorOrStaticMethodSink extends Sink { } */ abstract class Sanitizer extends DataFlow::Node { } -private class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +private class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** * User input to object method call deserialization flow tracking configuration. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll index 09f6130985f4..0838fe7be4b6 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll @@ -52,7 +52,7 @@ module UrlRedirect = TaintTracking::Global; deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** URL Redirection sinks defined through Models as Data. */ private class ExternalUrlRedirectExprSink extends Sink { diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll index 4efeadb3c7e6..38801410d857 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll @@ -15,7 +15,7 @@ private import semmle.code.csharp.security.Sanitizers */ abstract class Source extends DataFlow::Node { } -private class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +private class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** * A data flow sink for untrusted user input used in XML processing. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll index 0e8e41c9773b..140870c70fae 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll @@ -58,7 +58,7 @@ module XpathInjection = TaintTracking::Global; deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** The `xpath` argument to an `XPathExpression.Compile(..)` call. */ class XPathExpressionCompileSink extends Sink { diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll index 4ea9e562bb5f..81029cc6572e 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll @@ -165,7 +165,7 @@ module XssTrackingConfig implements DataFlow::ConfigSig { module XssTracking = TaintTracking::Global; /** A source supported by the current threat model. */ -private class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +private class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { } diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll index c610b3de4c74..526e337e9dac 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll @@ -20,11 +20,18 @@ abstract class SourceNode extends DataFlow::Node { } /** + * DEPRECATED: Use `ActiveThreatModelSource` instead. + * * A class of data flow sources that respects the * current threat model configuration. */ -class ThreatModelFlowSource extends DataFlow::Node { - ThreatModelFlowSource() { +deprecated class ThreatModelFlowSource = ActiveThreatModelSource; + +/** + * A data flow source that is enabled in the current threat model configuration. + */ +class ActiveThreatModelSource extends DataFlow::Node { + ActiveThreatModelSource() { exists(string kind | // Specific threat model. currentThreatModel(kind) and diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql index 042e2aa9f171..16eca675e6a1 100644 --- a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql +++ b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql @@ -20,7 +20,7 @@ import XmlInjection::PathGraph * A taint-tracking configuration for untrusted user input used in XML. */ module XmlInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(MethodCall mc | diff --git a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql index 9d30366af8f2..118591f3f9ef 100644 --- a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql +++ b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql @@ -21,7 +21,7 @@ import AssemblyPathInjection::PathGraph * A taint-tracking configuration for untrusted user input used to load a DLL. */ module AssemblyPathInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(MethodCall mc, string name, int arg | diff --git a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql index 7eec0bb90c6b..a027170dc372 100644 --- a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql +++ b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql @@ -17,7 +17,7 @@ import semmle.code.csharp.frameworks.Format import FormatString::PathGraph module FormatStringConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(FormatCall call | call.hasInsertions()).getFormatExpr() diff --git a/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll b/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll index eea18ae3b6e8..716702ca008c 100644 --- a/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll +++ b/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll @@ -61,7 +61,7 @@ module TaintedWebClient = TaintTracking::Global; deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { } /** A source supported by the current threat model. */ -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** * A path argument to a `WebClient` method call that has an address argument. diff --git a/csharp/ql/src/experimental/CWE-918/RequestForgery.qll b/csharp/ql/src/experimental/CWE-918/RequestForgery.qll index dac68adfcc15..6d06ca5fa445 100644 --- a/csharp/ql/src/experimental/CWE-918/RequestForgery.qll +++ b/csharp/ql/src/experimental/CWE-918/RequestForgery.qll @@ -60,7 +60,7 @@ module RequestForgery { /** * A dataflow source for Server Side Request Forgery(SSRF) Vulnerabilities. */ - private class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } /** * An url argument to a `HttpRequestMessage` constructor call diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.ql b/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.ql index aa89a4c34553..017c4370dfd4 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.ql +++ b/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.ql @@ -2,5 +2,5 @@ import csharp import semmle.code.csharp.security.dataflow.flowsources.FlowSources from DataFlow::Node source -where source instanceof ThreatModelFlowSource +where source instanceof ActiveThreatModelSource select source diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandLineFlow.ql b/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandLineFlow.ql index 731043cf4706..579514c496f1 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandLineFlow.ql +++ b/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandLineFlow.ql @@ -2,7 +2,7 @@ import csharp import semmle.code.csharp.security.dataflow.flowsources.FlowSources module CommandLineFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(MethodCall mc | mc.getTarget().hasName("Sink") | sink.asExpr() = mc.getArgument(0)) diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/local/registry/Registry.ql b/csharp/ql/test/library-tests/dataflow/flowsources/local/registry/Registry.ql index 9e2934e9e19a..8462205d61a1 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/local/registry/Registry.ql +++ b/csharp/ql/test/library-tests/dataflow/flowsources/local/registry/Registry.ql @@ -2,5 +2,5 @@ import csharp import semmle.code.csharp.security.dataflow.flowsources.FlowSources from DataFlow::Node source -where source instanceof ThreatModelFlowSource +where source instanceof ActiveThreatModelSource select source, source.(SourceNode).getThreatModel() diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/stored/database/dapper/DatabaseSources.ql b/csharp/ql/test/library-tests/dataflow/flowsources/stored/database/dapper/DatabaseSources.ql index aa9372d73d29..aff922884ff5 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/stored/database/dapper/DatabaseSources.ql +++ b/csharp/ql/test/library-tests/dataflow/flowsources/stored/database/dapper/DatabaseSources.ql @@ -4,7 +4,7 @@ import TestUtilities.InlineFlowTest import TaintFlowTest module DatabaseConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(MethodCall mc | mc.getTarget().hasName("Sink") | sink.asExpr() = mc.getArgument(0)) diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/stored/file/Files.ql b/csharp/ql/test/library-tests/dataflow/flowsources/stored/file/Files.ql index 1060ea756a26..ad8a40fa0741 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/stored/file/Files.ql +++ b/csharp/ql/test/library-tests/dataflow/flowsources/stored/file/Files.ql @@ -4,7 +4,7 @@ import TestUtilities.InlineFlowTest import TaintFlowTest module FilesConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(MethodCall mc | mc.getTarget().hasName("Sink") | sink.asExpr() = mc.getArgument(0)) diff --git a/csharp/ql/test/library-tests/dataflow/threat-models/Test.qll b/csharp/ql/test/library-tests/dataflow/threat-models/Test.qll index c2e200fd3046..3f702d4b0198 100644 --- a/csharp/ql/test/library-tests/dataflow/threat-models/Test.qll +++ b/csharp/ql/test/library-tests/dataflow/threat-models/Test.qll @@ -4,7 +4,7 @@ private import semmle.code.csharp.dataflow.internal.ExternalFlow private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private module ThreatModelConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) } } diff --git a/go/ql/lib/change-notes/2024-09-10-ActiveThreatModelSource.md b/go/ql/lib/change-notes/2024-09-10-ActiveThreatModelSource.md new file mode 100644 index 000000000000..a51e3e1deaf0 --- /dev/null +++ b/go/ql/lib/change-notes/2024-09-10-ActiveThreatModelSource.md @@ -0,0 +1,4 @@ +--- +category: deprecated +--- +* The class `ThreatModelFlowSource` has been renamed to `ActiveThreatModelSource` to more clearly reflect it only contains the currently active threat model sources. `ThreatModelFlowSource` has been marked as deprecated. diff --git a/go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll index 6fec1b5d98c1..c2874d7cdac4 100644 --- a/go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll +++ b/go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll @@ -31,12 +31,12 @@ module CommandInjection { abstract class Sanitizer extends DataFlow::Node { } /** - * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead. + * DEPRECATED: Use `ActiveThreatModelSource` or `Source` instead. */ deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource; /** A source of untrusted data, considered as a taint source for command injection. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } /** A command name, considered as a taint sink for command injection. */ class CommandNameAsSink extends Sink { diff --git a/go/ql/lib/semmle/go/security/ExternalAPIs.qll b/go/ql/lib/semmle/go/security/ExternalAPIs.qll index 5eb41dd2579a..6799099b999f 100644 --- a/go/ql/lib/semmle/go/security/ExternalAPIs.qll +++ b/go/ql/lib/semmle/go/security/ExternalAPIs.qll @@ -183,24 +183,24 @@ class UnknownExternalApiDataNode extends ExternalApiDataNode { } private module UntrustedDataConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } } /** - * Tracks data flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. + * Tracks data flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s. */ module UntrustedDataToExternalApiFlow = DataFlow::Global; private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode } } /** - * Tracks data flow from `ThreatModelFlowSource`s to `UnknownExternalApiDataNode`s. + * Tracks data flow from `ActiveThreatModelSource`s to `UnknownExternalApiDataNode`s. */ module UntrustedDataToUnknownExternalApiFlow = DataFlow::Global; diff --git a/go/ql/lib/semmle/go/security/FlowSources.qll b/go/ql/lib/semmle/go/security/FlowSources.qll index f982419f7c8a..258f924b6fb2 100644 --- a/go/ql/lib/semmle/go/security/FlowSources.qll +++ b/go/ql/lib/semmle/go/security/FlowSources.qll @@ -55,11 +55,18 @@ abstract class SourceNode extends DataFlow::Node { } /** + * DEPRECATED: Use `ActiveThreatModelSource` instead. + * * A class of data flow sources that respects the * current threat model configuration. */ -class ThreatModelFlowSource extends DataFlow::Node { - ThreatModelFlowSource() { +deprecated class ThreatModelFlowSource = ActiveThreatModelSource; + +/** + * A data flow source that is enabled in the current threat model configuration. + */ +class ActiveThreatModelSource extends DataFlow::Node { + ActiveThreatModelSource() { exists(string kind | // Specific threat model. currentThreatModel(kind) and diff --git a/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll index 6d93dfa2e5ad..188256f9643b 100644 --- a/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll +++ b/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll @@ -26,12 +26,12 @@ module LogInjection { abstract class Sanitizer extends DataFlow::Node { } /** - * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead. + * DEPRECATED: Use `ActiveThreatModelSource` or `Source` instead. */ deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource; /** A source of untrusted data, considered as a taint source for log injection. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } /** An argument to a logging mechanism. */ class LoggerSink extends Sink { diff --git a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheckCustomizations.qll b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheckCustomizations.qll index e86b20d67e89..e1b153da24a9 100644 --- a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheckCustomizations.qll +++ b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheckCustomizations.qll @@ -49,7 +49,7 @@ module MissingJwtSignatureCheck { } } - private class DefaultSource extends Source instanceof ThreatModelFlowSource { } + private class DefaultSource extends Source instanceof ActiveThreatModelSource { } private class DefaultSink extends Sink { DefaultSink() { sinkNode(this, "jwt") } diff --git a/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll b/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll index 8e72b53087aa..304bc004e038 100644 --- a/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll +++ b/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll @@ -43,14 +43,14 @@ module OpenUrlRedirect { } /** - * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead. + * DEPRECATED: Use `ActiveThreatModelSource` or `Source` instead. */ deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource; /** * A source of third-party user input, considered as a flow source for URL redirects. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { ThreatModelFlowAsSource() { // exclude some fields and methods of URLs that are generally not attacker-controllable for // open redirect exploits diff --git a/go/ql/lib/semmle/go/security/ReflectedXssCustomizations.qll b/go/ql/lib/semmle/go/security/ReflectedXssCustomizations.qll index 0d376b9f7dad..47e823708304 100644 --- a/go/ql/lib/semmle/go/security/ReflectedXssCustomizations.qll +++ b/go/ql/lib/semmle/go/security/ReflectedXssCustomizations.qll @@ -35,14 +35,14 @@ module ReflectedXss { } /** - * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead. + * DEPRECATED: Use `ActiveThreatModelSource` or `Source` instead. */ deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource; /** * A third-party controllable input, considered as a flow source for reflected XSS. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } /** An arbitrary XSS sink, considered as a flow sink for stored XSS. */ private class AnySink extends Sink instanceof SharedXss::Sink { } diff --git a/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll b/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll index b56395cceedd..2449ffe488ca 100644 --- a/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll +++ b/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll @@ -34,14 +34,14 @@ module RequestForgery { abstract class SanitizerEdge extends DataFlow::Node { } /** - * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead. + * DEPRECATED: Use `ActiveThreatModelSource` or `Source` instead. */ deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource; /** * A third-party controllable input, considered as a flow source for request forgery. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } private class DefaultRequestForgerySink extends Sink { string kind; diff --git a/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll index 9d813469ee70..0b2f96a92838 100644 --- a/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll +++ b/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll @@ -26,12 +26,12 @@ module SqlInjection { abstract class Sanitizer extends DataFlow::Node { } /** - * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead. + * DEPRECATED: Use `ActiveThreatModelSource` or `Source` instead. */ deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource; /** A source of untrusted data, considered as a taint source for SQL injection. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } /** An SQL string, considered as a taint sink for SQL injection. */ class SqlQueryAsSink extends Sink instanceof SQL::QueryString { } diff --git a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll index 31f8b3ad391e..953d9810d532 100644 --- a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll +++ b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll @@ -45,12 +45,12 @@ module TaintedPath { } /** - * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead. + * DEPRECATED: Use `ActiveThreatModelSource` or `Source` instead. */ deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource; /** A source of untrusted data, considered as a taint source for path traversal. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } /** A path expression, considered as a taint sink for path traversal. */ class PathAsSink extends Sink { diff --git a/go/ql/lib/semmle/go/security/UncontrolledAllocationSizeCustomizations.qll b/go/ql/lib/semmle/go/security/UncontrolledAllocationSizeCustomizations.qll index 7ee4edb0c726..460c95fe3cd5 100644 --- a/go/ql/lib/semmle/go/security/UncontrolledAllocationSizeCustomizations.qll +++ b/go/ql/lib/semmle/go/security/UncontrolledAllocationSizeCustomizations.qll @@ -21,7 +21,7 @@ module UncontrolledAllocationSize { abstract class Sanitizer extends DataFlow::Node { } /** A source of untrusted data, considered as a taint source for uncontrolled size allocation vulnerabilities. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } /** The size argument of a memory allocation function. */ private class AllocationSizeAsSink extends Sink instanceof AllocationSizeOverflow::AllocationSize { diff --git a/go/ql/lib/semmle/go/security/XPathInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/XPathInjectionCustomizations.qll index 6e99fbf00f54..472ed041ea1c 100644 --- a/go/ql/lib/semmle/go/security/XPathInjectionCustomizations.qll +++ b/go/ql/lib/semmle/go/security/XPathInjectionCustomizations.qll @@ -25,12 +25,12 @@ module XPathInjection { abstract class Sanitizer extends DataFlow::ExprNode { } /** - * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead. + * DEPRECATED: Use `ActiveThreatModelSource` or `Source` instead. */ deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource; /** A source of untrusted data, used in an XPath expression. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } /** An XPath expression string, considered as a taint sink for XPath injection. */ class XPathExpressionStringAsSink extends Sink instanceof XPath::XPathExpressionString { } diff --git a/go/ql/src/Security/CWE-640/EmailInjectionCustomizations.qll b/go/ql/src/Security/CWE-640/EmailInjectionCustomizations.qll index ca3609bf2a3d..92ae2bc92095 100644 --- a/go/ql/src/Security/CWE-640/EmailInjectionCustomizations.qll +++ b/go/ql/src/Security/CWE-640/EmailInjectionCustomizations.qll @@ -17,12 +17,12 @@ module EmailInjection { abstract class Sink extends DataFlow::Node { } /** - * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead. + * DEPRECATED: Use `ActiveThreatModelSource` or `Source` instead. */ deprecated class UntrustedFlowSourceAsSource = ThreatModelFlowAsSource; /** A source of untrusted data, considered as a taint source for email injection. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } /** * A data-flow node that becomes part of an email considered as a taint sink for email injection. diff --git a/go/ql/src/experimental/CWE-090/LDAPInjection.qll b/go/ql/src/experimental/CWE-090/LDAPInjection.qll index a63d7b2e783c..4e0a6e290dab 100644 --- a/go/ql/src/experimental/CWE-090/LDAPInjection.qll +++ b/go/ql/src/experimental/CWE-090/LDAPInjection.qll @@ -98,13 +98,13 @@ private class LdapClientDNSink extends LdapSink { /** * DEPRECATED: Use `LdapInjectionFlow` instead. * - * A taint-tracking configuration for reasoning about when a `ThreatModelFlowSource` + * A taint-tracking configuration for reasoning about when a `ActiveThreatModelSource` * flows into an argument or field that is vulnerable to LDAP injection. */ deprecated class LdapInjectionConfiguration extends TaintTracking::Configuration { LdapInjectionConfiguration() { this = "Ldap injection" } - override predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + override predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } override predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink } @@ -112,7 +112,7 @@ deprecated class LdapInjectionConfiguration extends TaintTracking::Configuration } private module LdapInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink } @@ -120,7 +120,7 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig { } /** - * Tracks taint flow for reasoning about when a `ThreatModelFlowSource` flows + * Tracks taint flow for reasoning about when a `ActiveThreatModelSource` flows * into an argument or field that is vulnerable to LDAP injection. */ module LdapInjectionFlow = TaintTracking::Global; diff --git a/go/ql/src/experimental/CWE-203/Timing.ql b/go/ql/src/experimental/CWE-203/Timing.ql index 12f75b74e449..ab0b50a657a9 100644 --- a/go/ql/src/experimental/CWE-203/Timing.ql +++ b/go/ql/src/experimental/CWE-203/Timing.ql @@ -98,7 +98,7 @@ private class SensitiveStringSink extends Sink { module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof ThreatModelFlowSource and not isBadResult(source) + source instanceof ActiveThreatModelSource and not isBadResult(source) } predicate isSink(DataFlow::Node sink) { sink instanceof Sink and not isBadResult(sink) } diff --git a/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll b/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll index a3016f65372f..7a62041a774a 100644 --- a/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll +++ b/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll @@ -68,7 +68,7 @@ module ImproperLdapAuth { private module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof ThreatModelFlowSource or source instanceof EmptyString + source instanceof ActiveThreatModelSource or source instanceof EmptyString } predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink } diff --git a/go/ql/src/experimental/CWE-369/DivideByZero.ql b/go/ql/src/experimental/CWE-369/DivideByZero.ql index 956a2d55300f..b6709b97d712 100644 --- a/go/ql/src/experimental/CWE-369/DivideByZero.ql +++ b/go/ql/src/experimental/CWE-369/DivideByZero.ql @@ -28,7 +28,7 @@ predicate divideByZeroSanitizerGuard(DataFlow::Node g, Expr e, boolean branch) { } module Config implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { exists(Function f, DataFlow::CallNode cn | cn = f.getACall() | diff --git a/go/ql/src/experimental/CWE-74/DsnInjection.ql b/go/ql/src/experimental/CWE-74/DsnInjection.ql index 76ce22344b47..2b2ee0a62e4c 100644 --- a/go/ql/src/experimental/CWE-74/DsnInjection.ql +++ b/go/ql/src/experimental/CWE-74/DsnInjection.ql @@ -14,7 +14,7 @@ import DsnInjectionCustomizations import DsnInjectionFlow::PathGraph /** A remote flow source taken as a source for the `DsnInjection` taint-flow configuration. */ -private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } +private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } from DsnInjectionFlow::PathNode source, DsnInjectionFlow::PathNode sink where DsnInjectionFlow::flowPath(source, sink) diff --git a/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql b/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql index 7918b9694ea5..0aff713f26bc 100644 --- a/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql +++ b/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql @@ -36,7 +36,7 @@ class PassthroughTypeName extends string { } module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } additional predicate isSinkToPassthroughType(DataFlow::TypeCastNode sink, PassthroughTypeName name) { exists(Type typ | @@ -53,7 +53,7 @@ module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig } /** - * Tracks taint flow for reasoning about when a `ThreatModelFlowSource` is + * Tracks taint flow for reasoning about when a `ActiveThreatModelSource` is * converted into a special "passthrough" type which will not be escaped by the * template generator; this allows the injection of arbitrary content (html, * css, js) into the generated output of the templates. @@ -109,13 +109,13 @@ predicate isSinkToTemplateExec(DataFlow::Node sink, DataFlow::CallNode call) { } module FromUntrustedToTemplateExecutionCallConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) } } /** - * Tracks taint flow from a `ThreatModelFlowSource` into a template executor + * Tracks taint flow from a `ActiveThreatModelSource` into a template executor * call. */ module FromUntrustedToTemplateExecutionCallFlow = diff --git a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll index b0dde22c22c5..0d4bdfb1dd0c 100644 --- a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll +++ b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll @@ -52,7 +52,7 @@ deprecated class Configuration extends TaintTracking::Configuration { Configuration() { this = "Condtional Expression Check Bypass" } override predicate isSource(DataFlow::Node source) { - source instanceof ThreatModelFlowSource + source instanceof ActiveThreatModelSource or exists(DataFlow::FieldReadNode f | f.getField().hasQualifiedName("net/http", "Request", "Host") @@ -71,7 +71,7 @@ deprecated class Configuration extends TaintTracking::Configuration { private module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof ThreatModelFlowSource + source instanceof ActiveThreatModelSource or exists(DataFlow::FieldReadNode f | f.getField().hasQualifiedName("net/http", "Request", "Host") diff --git a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql index 3ecb323d04b2..b70be1ff42db 100644 --- a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql +++ b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql @@ -14,7 +14,7 @@ import go module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof ThreatModelFlowSource + source instanceof ActiveThreatModelSource or source = any(Field f | f.hasQualifiedName("net/http", "Request", "Host")).getARead() } diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll index dd5eebc8b10b..42b017ac487d 100644 --- a/go/ql/src/experimental/CWE-918/SSRF.qll +++ b/go/ql/src/experimental/CWE-918/SSRF.qll @@ -87,14 +87,14 @@ module ServerSideRequestForgery { abstract class SanitizerEdge extends DataFlow::Node { } /** - * DEPRECATED: Use `ThreatModelFlowSource` or `Source` instead. + * DEPRECATED: Use `ActiveThreatModelSource` or `Source` instead. */ deprecated class UntrustedFlowAsSource = ThreatModelFlowAsSource; /** * An user controlled input, considered as a flow source for request forgery. */ - private class ThreatModelFlowAsSource extends Source instanceof ThreatModelFlowSource { } + private class ThreatModelFlowAsSource extends Source instanceof ActiveThreatModelSource { } /** * The URL of an HTTP request, viewed as a sink for request forgery. diff --git a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql index 11dae56fde9d..7a1ff256be1a 100644 --- a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql +++ b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql @@ -52,7 +52,7 @@ class AllowCredentialsHeaderWrite extends Http::HeaderWrite { } module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } additional predicate isSinkHW(DataFlow::Node sink, AllowOriginHeaderWrite hw) { sink = hw.getValue() @@ -70,7 +70,7 @@ module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig { } module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } additional predicate isSinkWrite(DataFlow::Node sink, GinCors::AllowOriginsWrite w) { sink = w } @@ -78,13 +78,13 @@ module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig { } /** - * Tracks taint flowfor reasoning about when a `ThreatModelFlowSource` flows to + * Tracks taint flowfor reasoning about when a `ActiveThreatModelSource` flows to * a `HeaderWrite` that writes an `Access-Control-Allow-Origin` header's value. */ module UntrustedToAllowOriginHeaderFlow = TaintTracking::Global; /** - * Tracks taint flowfor reasoning about when a `ThreatModelFlowSource` flows to + * Tracks taint flowfor reasoning about when a `ActiveThreatModelSource` flows to * a `AllowOriginsWrite` that writes an `Access-Control-Allow-Origin` header's value. */ module UntrustedToAllowOriginConfigFlow = TaintTracking::Global; @@ -121,7 +121,7 @@ predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOriginHW) { /** * Holds if the provided `allowOriginHW` HeaderWrite's value is set using an - * ThreatModelFlowSource. + * ActiveThreatModelSource. * The `message` parameter is populated with the warning message to be returned by the query. */ predicate flowsFromUntrustedToAllowOrigin(DataFlow::ExprNode allowOriginHW, string message) { @@ -169,7 +169,7 @@ class MapRead extends DataFlow::ElementReadNode { } module FromUntrustedConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { isSinkCgn(sink, _) } @@ -208,13 +208,13 @@ module FromUntrustedConfig implements DataFlow::ConfigSig { } /** - * Tracks taint flow for reasoning about when a `ThreatModelFlowSource` flows + * Tracks taint flow for reasoning about when a `ActiveThreatModelSource` flows * somewhere. */ module FromUntrustedFlow = TaintTracking::Global; /** - * Holds if the provided `allowOriginHW` is also destination of a `ThreatModelFlowSource`. + * Holds if the provided `allowOriginHW` is also destination of a `ActiveThreatModelSource`. */ predicate flowsToGuardedByCheckOnUntrusted(DataFlow::ExprNode allowOriginHW) { exists(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn | diff --git a/go/ql/src/experimental/frameworks/DecompressionBombs.qll b/go/ql/src/experimental/frameworks/DecompressionBombs.qll index 90df91245bf0..5828cd60e523 100644 --- a/go/ql/src/experimental/frameworks/DecompressionBombs.qll +++ b/go/ql/src/experimental/frameworks/DecompressionBombs.qll @@ -29,7 +29,7 @@ module DecompressionBomb { class FlowState = DecompressionBombs::FlowState; predicate isSource(DataFlow::Node source, FlowState state) { - source instanceof ThreatModelFlowSource and + source instanceof ActiveThreatModelSource and state = "" } diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/Test.qll b/go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/Test.qll index 856c748af7fe..794793a6a0a3 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/Test.qll +++ b/go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/Test.qll @@ -4,7 +4,7 @@ private import semmle.go.dataflow.ExternalFlow private import semmle.go.dataflow.DataFlow private module ThreatModelConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink = any(DataFlow::CallNode c | c.getTarget().getName() = "sink").getAnArgument() diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.ql b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.ql index db6bbb1a2d16..eb7ba46508e7 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.ql +++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.ql @@ -6,7 +6,7 @@ module SourceTest implements TestSig { string getARelevantTag() { result = "source" } predicate hasActualResult(Location location, string element, string tag, string value) { - exists(ThreatModelFlowSource s | + exists(ActiveThreatModelSource s | s.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(), location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and element = s.toString() and diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/file/test.ql b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/file/test.ql index db6bbb1a2d16..eb7ba46508e7 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/file/test.ql +++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/file/test.ql @@ -6,7 +6,7 @@ module SourceTest implements TestSig { string getARelevantTag() { result = "source" } predicate hasActualResult(Location location, string element, string tag, string value) { - exists(ThreatModelFlowSource s | + exists(ActiveThreatModelSource s | s.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(), location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and element = s.toString() and diff --git a/java/ql/lib/change-notes/2024-09-10-ActiveThreatModelSource.md b/java/ql/lib/change-notes/2024-09-10-ActiveThreatModelSource.md new file mode 100644 index 000000000000..a51e3e1deaf0 --- /dev/null +++ b/java/ql/lib/change-notes/2024-09-10-ActiveThreatModelSource.md @@ -0,0 +1,4 @@ +--- +category: deprecated +--- +* The class `ThreatModelFlowSource` has been renamed to `ActiveThreatModelSource` to more clearly reflect it only contains the currently active threat model sources. `ThreatModelFlowSource` has been marked as deprecated. diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll index d18d8e4c8a49..77af39967c69 100644 --- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll +++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll @@ -42,11 +42,18 @@ abstract class SourceNode extends DataFlow::Node { } /** + * DEPRECATED: Use `ActiveThreatModelSource` instead. + * * A class of data flow sources that respects the * current threat model configuration. */ -class ThreatModelFlowSource extends DataFlow::Node { - ThreatModelFlowSource() { +deprecated class ThreatModelFlowSource = ActiveThreatModelSource; + +/** + * A data flow source that is enabled in the current threat model configuration. + */ +class ActiveThreatModelSource extends DataFlow::Node { + ActiveThreatModelSource() { exists(string kind | // Specific threat model. currentThreatModel(kind) and @@ -195,7 +202,7 @@ abstract class LocalUserInput extends UserInput { /** * DEPRECATED: Use the threat models feature. - * That is, use `ThreatModelFlowSource` as the class of nodes for sources + * That is, use `ActiveThreatModelSource` as the class of nodes for sources * and set up the threat model configuration to filter source nodes. * Alternatively, use `getThreatModel` to filter nodes to create the * class of nodes you need. @@ -266,7 +273,7 @@ private class FileInput extends LocalUserInput { /** * DEPRECATED: Use the threat models feature. - * That is, use `ThreatModelFlowSource` as the class of nodes for sources + * That is, use `ActiveThreatModelSource` as the class of nodes for sources * and set up the threat model configuration to filter source nodes. * Alternatively, use `getThreatModel` to filter nodes to create the * class of nodes you need. diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 47db4f825c47..4984b8b050fd 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -640,7 +640,7 @@ private MethodCall callReturningSameType(Expr ref) { } private SrcRefType entrypointType() { - exists(ThreatModelFlowSource s, RefType t | + exists(ActiveThreatModelSource s, RefType t | s instanceof DataFlow::ExplicitParameterNode and t = pragma[only_bind_out](s).getType() and not t instanceof TypeObject and diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll index 0943fe8feaf7..109300458d29 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll @@ -9,7 +9,7 @@ import semmle.code.java.security.AndroidIntentRedirection /** A taint tracking configuration for tainted Intents being used to start Android components. */ module IntentRedirectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink } @@ -38,7 +38,7 @@ private class OriginalIntentSanitizer extends IntentRedirectionSanitizer { * flowing directly to sinks that start Android components. */ private module SameIntentBeingRelaunchedConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink } @@ -74,7 +74,7 @@ private class IntentWithTaintedComponent extends DataFlow::Node { * A taint tracking configuration for tainted data flowing to an `Intent`'s component. */ private module TaintedIntentComponentConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { any(IntentSetComponent setComponent).getSink() = sink.asExpr() diff --git a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll index d7c5fe94f28a..0402aca69872 100644 --- a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll +++ b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll @@ -75,7 +75,7 @@ class ExternalApkSource extends ApiSourceNode { sourceNode(this, "android-external-storage-dir") or this.asExpr().(MethodCall).getMethod() instanceof UriConstructorMethod or this.asExpr().(StringLiteral).getValue().matches("file://%") or - this instanceof ThreatModelFlowSource + this instanceof ActiveThreatModelSource } } diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll index 7d58de46a67f..51d6c284e1ca 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll @@ -6,7 +6,7 @@ private import semmle.code.java.security.ArithmeticCommon /** A taint-tracking configuration to reason about overflow from unvalidated input. */ module ArithmeticOverflowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) } @@ -22,7 +22,7 @@ deprecated module RemoteUserInputOverflowConfig = ArithmeticOverflowConfig; /** A taint-tracking configuration to reason about underflow from unvalidated input. */ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index 692bdfc1a708..af5476f8b3df 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -49,7 +49,7 @@ private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer * A taint-tracking configuration for unvalidated user input that is used to run an external process. */ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll index 96d3c5a528c3..03ba8d461979 100644 --- a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll @@ -40,7 +40,7 @@ private predicate endsWithStep(DataFlow::Node node1, DataFlow::Node node2) { * A taint tracking configuration for untrusted data flowing to sensitive conditions. */ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) } diff --git a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll index 6838555179a6..360493e26356 100644 --- a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll +++ b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll @@ -93,10 +93,10 @@ class ExternalApiDataNode extends DataFlow::Node { } /** - * Taint tracking configuration for flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. + * Taint tracking configuration for flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s. */ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } } diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll index 4c8639010e2c..da440e0cd2c9 100644 --- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll @@ -16,7 +16,7 @@ private class StringFormatSink extends ApiSinkNode { * A taint-tracking configuration for externally controlled format string vulnerabilities. */ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof StringFormatSink } diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll index b2ab5464e235..40636ffd8c25 100644 --- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll @@ -10,7 +10,7 @@ import semmle.code.java.security.FragmentInjection * that is used to create Android fragments dynamically. */ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll index 8151755f69fc..b497873b9bb1 100644 --- a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll @@ -10,7 +10,7 @@ import semmle.code.java.security.GroovyInjection * that is used to evaluate a Groovy expression. */ module GroovyInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll index 8bef1ec36501..2af9396a119e 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll @@ -9,7 +9,7 @@ private import semmle.code.java.dataflow.FlowSources * user-provided size used for array construction. */ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _) diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll index 440600b8a7ca..6d11962f2f45 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll @@ -9,7 +9,7 @@ private import semmle.code.java.dataflow.FlowSources * of user-provided array index. */ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr()) diff --git a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll index be42e09a1cce..e1c840ce2642 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll @@ -46,7 +46,7 @@ class SetMessageInterpolatorCall extends MethodCall { * to the argument of a method that builds constraint error messages. */ module BeanValidationConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink } diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll index 855694b299b6..5ac8024d81f2 100644 --- a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll @@ -12,7 +12,7 @@ private import IntentUriPermissionManipulation * A taint tracking configuration for user-provided Intents being returned to third party apps. */ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof IntentUriPermissionManipulationSink } diff --git a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll index bf87df361b3c..4ad1dd3ba310 100644 --- a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll @@ -44,7 +44,7 @@ private class DefaultJexlInjectionAdditionalTaintStep extends JexlInjectionAddit * It supports both JEXL 2 and 3. */ module JexlInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink } diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index 167d56732cd3..f50787fef024 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -11,7 +11,7 @@ private import semmle.code.java.security.Sanitizers * A taint-tracking configuration for unvalidated user input that is used in JNDI lookup. */ module JndiInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll index b6daea4b4738..ef27fa3cd16b 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll @@ -8,7 +8,7 @@ import semmle.code.java.security.LdapInjection * A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries. */ module LdapInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof LdapInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll index cebc807cc472..64d59993b3da 100644 --- a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll @@ -8,7 +8,7 @@ import semmle.code.java.security.LogInjection * A taint-tracking configuration for tracking untrusted user input used in log entries. */ module LogInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof LogInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll index da5bcb6931bc..d0f6e02357b8 100644 --- a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll @@ -10,7 +10,7 @@ import semmle.code.java.security.MvelInjection * that is used to construct and evaluate a MVEL expression. */ module MvelInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof MvelEvaluationSink } diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index 2dd3cf89add5..7efa6e030624 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -85,7 +85,7 @@ private predicate smallExpr(Expr e) { * numeric cast. */ module NumericCastFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index a25b257574b6..d9bfad412599 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -9,7 +9,7 @@ private import semmle.code.java.security.Sanitizers * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation. */ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll index e4d2d60b92e9..78b9098beeef 100644 --- a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll @@ -12,7 +12,7 @@ import semmle.code.java.dataflow.FlowSources * and remains vulnerable to Partial Path Traversal. */ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node node) { any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr() diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll index f929e97a8ff3..ec4bbaf8d091 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll @@ -12,7 +12,7 @@ import semmle.code.java.security.RequestForgery */ module RequestForgeryConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof ThreatModelFlowSource and + source instanceof ActiveThreatModelSource and // Exclude results of remote HTTP requests: fetching something else based on that result // is no worse than following a redirect returned by the remote server, and typically // we're requesting a resource via https which we trust to only send us to safe URLs. diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index 7c43d32a407e..9bd96a51a68d 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -10,7 +10,7 @@ import semmle.code.java.security.ResponseSplitting */ module ResponseSplittingConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof ThreatModelFlowSource and + source instanceof ActiveThreatModelSource and not source instanceof SafeHeaderSplittingSource } diff --git a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll index e22dcef12113..f3a07480cf06 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll @@ -19,7 +19,7 @@ private class ResultReceiverSendCall extends MethodCall { } private module UntrustedResultReceiverConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node node) { node.asExpr() = any(ResultReceiverSendCall c).getReceiver() diff --git a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll index 55e8eb94f83f..a982b094ee49 100644 --- a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll @@ -11,7 +11,7 @@ private import semmle.code.java.security.SpelInjection * that is used to construct and evaluate a SpEL expression. */ module SpelInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof SpelExpressionEvaluationSink } diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index c4638538a635..0aaf46cf2dd5 100644 --- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -15,7 +15,7 @@ import semmle.code.java.security.QueryInjection * A taint-tracking configuration for unvalidated user input that is used in SQL queries. */ module QueryInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll index beb0921fc47e..597c05b04541 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll @@ -26,7 +26,7 @@ abstract class ExecTaintedEnvironmentSanitizer extends DataFlow::Node { } * A taint-tracking configuration that tracks flow from unvalidated data to an environment variable for a subprocess. */ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isBarrier(DataFlow::Node barrier) { barrier instanceof ExecTaintedEnvironmentSanitizer } diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index 6be7b4dc83fb..6726bcc35086 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -60,7 +60,7 @@ private class TaintPreservingUriCtorParam extends Parameter { * A taint-tracking configuration for tracking flow from remote sources to the creation of a path. */ module TaintedPathConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof TaintedPathSink } diff --git a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll index 132e8a3fadf2..eb5b589a98ba 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll @@ -54,7 +54,7 @@ private class WildCardPermissionConstruction extends ClassInstanceExpr, Permissi * A configuration for tracking flow from user input to a permissions check. */ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(PermissionsConstruction p).getInput() diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll index f2cc980a0d81..a74f4db8030a 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll @@ -83,7 +83,7 @@ abstract deprecated class TemplateInjectionSanitizerWithState extends DataFlow:: abstract deprecated predicate hasState(DataFlow::FlowState state); } -private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof ThreatModelFlowSource +private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof ActiveThreatModelSource { } private class DefaultTemplateInjectionSink extends TemplateInjectionSink { diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index b93b3f0ca1a9..f70542486dee 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -13,7 +13,7 @@ private import semmle.code.java.security.Sanitizers */ abstract class TrustBoundaryViolationSource extends DataFlow::Node { } -private class ThreatModelSource extends TrustBoundaryViolationSource instanceof ThreatModelFlowSource +private class ThreatModelSource extends TrustBoundaryViolationSource instanceof ActiveThreatModelSource { } /** diff --git a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll index 3239b387d8e0..1c9d2809eba7 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll @@ -10,7 +10,7 @@ import semmle.code.java.security.UnsafeAndroidAccess * A taint configuration tracking flow from untrusted inputs to a resource fetching call. */ module FetchUntrustedResourceConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll index 8c214d59b9eb..d072de05c1c4 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll @@ -9,7 +9,7 @@ import semmle.code.java.security.UnsafeContentUriResolution * A taint-tracking configuration to find paths from remote sources to content URI resolutions. */ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index de9a920446d5..9a627d54c5ae 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -316,7 +316,7 @@ private predicate isUnsafeDeserializationTaintStep(DataFlow::Node pred, DataFlow /** Tracks flows from remote user input to a deserialization sink. */ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink } @@ -418,7 +418,7 @@ private predicate isUnsafeTypeAdditionalTaintStep(DataFlow::Node fromNode, DataF * If this is user-controlled, arbitrary code could be executed while instantiating the user-specified type. */ module UnsafeTypeConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeTypeSink } diff --git a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll index 48c8e50bfaf4..bc3b40009270 100644 --- a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll @@ -178,7 +178,7 @@ private class FullyDecodesUrlBarrier extends DataFlow::Node { */ module UrlForwardFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof ThreatModelFlowSource and + source instanceof ActiveThreatModelSource and // excluded due to FPs not exists(MethodCall mc, Method m | m instanceof HttpServletRequestGetRequestUriMethod or diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll index fff546fc5030..26d133d4adb3 100644 --- a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll @@ -8,7 +8,7 @@ private import semmle.code.java.security.UrlRedirect * A taint-tracking configuration for reasoning about URL redirections. */ module UrlRedirectConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink } diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll index 6c541f66940e..e387f0d0e118 100644 --- a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll @@ -9,7 +9,7 @@ private import semmle.code.java.security.XPath * A taint-tracking configuration for reasoning about XPath injection vulnerabilities. */ module XPathInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index 304ec3327a17..7ff745a057ca 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -11,7 +11,7 @@ private import semmle.code.java.security.Sanitizers * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation. */ module XsltInjectionFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink } diff --git a/java/ql/lib/semmle/code/java/security/XssQuery.qll b/java/ql/lib/semmle/code/java/security/XssQuery.qll index dba80ecc1391..c0d7035a4f9a 100644 --- a/java/ql/lib/semmle/code/java/security/XssQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XssQuery.qll @@ -9,7 +9,7 @@ import semmle.code.java.security.XSS * A taint-tracking configuration for cross site scripting vulnerabilities. */ module XssConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } diff --git a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll index da092d2e11f3..ecfdb7c4ae1c 100644 --- a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll @@ -9,7 +9,7 @@ private import semmle.code.java.security.XxeQuery * A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion. */ module XxeConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink } diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll index 55c1a043230a..ba65e13dd611 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll @@ -35,7 +35,7 @@ private class LengthRestrictedMethod extends Method { /** A configuration for Polynomial ReDoS queries. */ module PolynomialRedosConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp | diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll index 81246814dc21..533482a8af14 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll @@ -9,7 +9,7 @@ import semmle.code.java.security.regexp.RegexInjection * A taint-tracking configuration for untrusted user input used to construct regular expressions. */ module RegexInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql index 442c45f4328b..b729aceffeec 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql @@ -40,7 +40,7 @@ class Log4jInjectionSanitizer extends DataFlow::Node instanceof SimpleTypeSaniti * A taint-tracking configuration for tracking untrusted user input used in log entries. */ module Log4jInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof Log4jInjectionSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql index 4b71c297c230..19ce02635605 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql @@ -33,7 +33,7 @@ class UrlConstructor extends ClassInstanceExpr { } module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(MethodCall m | diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql index 6fab554ac672..1c50f8304fc9 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql @@ -50,7 +50,7 @@ class NormalizedPathNode extends DataFlow::Node { } module InjectFilePathConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof TaintedPathSink and diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql index 88733773de12..60a28d2b252a 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql @@ -14,7 +14,7 @@ import CommandInjectionRuntimeExec import ExecUserFlow::PathGraph -class ThreatModelSource extends Source instanceof ThreatModelFlowSource { } +class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } from ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd, diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql index e57795431257..a67d0e06f161 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql @@ -21,7 +21,7 @@ private import semmle.code.java.security.Sanitizers import MyBatisAnnotationSqlInjectionFlow::PathGraph private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument } diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql index 32cd2904dcee..7597f0f67a57 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql @@ -21,7 +21,7 @@ private import semmle.code.java.security.Sanitizers import MyBatisMapperXmlSqlInjectionFlow::PathGraph private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument } diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql index d1d5ee936915..75ef4e6fec27 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql @@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking import BeanShellInjectionFlow::PathGraph module BeanShellInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql index 88eebc1ab7fe..500c6dabca9c 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql @@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking import JShellInjectionFlow::PathGraph module JShellInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll index cd5d50338b9c..85a1dd11dad0 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll @@ -8,7 +8,7 @@ import semmle.code.java.dataflow.TaintTracking * that is used to construct and evaluate an expression. */ module JakartaExpressionInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionEvaluationSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql index 1dfadce60916..cc919385ba4c 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql @@ -99,17 +99,17 @@ class CodeInjectionSink extends DataFlow::ExprNode { } /** - * A taint configuration for tracking flow from `ThreatModelFlowSource` to a Jython method call + * A taint configuration for tracking flow from `ActiveThreatModelSource` to a Jython method call * `CodeInjectionSink` that executes injected code. */ module CodeInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } } /** - * Taint tracking flow from `ThreatModelFlowSource` to a Jython method call + * Taint tracking flow from `ActiveThreatModelSource` to a Jython method call * `CodeInjectionSink` that executes injected code. */ module CodeInjectionFlow = TaintTracking::Global; diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql index 0792d8e498ae..6f8f7ec1cb37 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql @@ -131,11 +131,11 @@ class ScriptInjectionSink extends DataFlow::ExprNode { } /** - * A taint tracking configuration that tracks flow from `ThreatModelFlowSource` to an argument + * A taint tracking configuration that tracks flow from `ActiveThreatModelSource` to an argument * of a method call that executes injected script. */ module ScriptInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink } } diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll index 310aafb30f5e..256947a2dc79 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll @@ -42,7 +42,7 @@ class PortletRenderRequestMethod extends Method { */ module SpringViewManipulationConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof ThreatModelFlowSource or + source instanceof ActiveThreatModelSource or source instanceof WebRequestSource or source.asExpr().(MethodCall).getMethod() instanceof PortletRenderRequestMethod } diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql b/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql index f32c1682c291..1a5a97a8691a 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql @@ -19,7 +19,7 @@ import AndroidWebResourceResponse import InsecureWebResourceResponseFlow::PathGraph module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll index e865e18ecaa6..8e545a5e8f04 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll @@ -148,7 +148,7 @@ private predicate updateMessageDigestStep(DataFlow2::Node fromNode, DataFlow2::N * such as cipher, MAC or signature. */ private module UserInputInCryptoOperationConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(ProduceCryptoCall call | call.getQualifier() = sink.asExpr()) @@ -214,7 +214,7 @@ private class NonConstantTimeComparisonCall extends StaticMethodCall { * that compare inputs using a non-constant-time algorithm. */ private module UserInputInComparisonConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(NonConstantTimeEqualsCall call | diff --git a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql index 9d47e177a271..3c450d4e04c1 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql @@ -63,7 +63,7 @@ module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig { module CorsSourceReachesCheckFlow = TaintTracking::Global; private module CorsOriginConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(MethodCall corsHeader, MethodCall allowCredentialsHeader | diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql index 647175797be7..ce5ba05b6196 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql @@ -22,7 +22,7 @@ import RequestResponseFlow::PathGraph /** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */ module RequestResponseFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof ThreatModelFlowSource and + source instanceof ActiveThreatModelSource and any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable()) } diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll index 65a75392ef45..b0d2897ea54e 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll @@ -79,7 +79,7 @@ class JsonpBuilderExpr extends AddExpr { /** A data flow configuration tracing flow from threat model sources to jsonp function name. */ module ThreatModelFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(JsonpBuilderExpr jhe | jhe.getFunctionName() = sink.asExpr()) diff --git a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql index 7cfd1f2ef9cd..44af710990cf 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql @@ -17,7 +17,7 @@ import ThreadResourceAbuseFlow::PathGraph /** Taint configuration of uncontrolled thread resource consumption. */ module ThreadResourceAbuseConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql index a525e2c80672..f18355b1d976 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql @@ -32,7 +32,7 @@ private predicate equalsSanitizer(Guard g, Expr e, boolean branch) { } module UnsafeReflectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql index ea162cf6d287..c318bd300f5b 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql @@ -65,9 +65,9 @@ class UncaughtServletExceptionSink extends DataFlow::ExprNode { } } -/** Taint configuration of uncaught exceptions caused by user provided data from `ThreatModelFlowSource` */ +/** Taint configuration of uncaught exceptions caused by user provided data from `ActiveThreatModelSource` */ module UncaughtServletExceptionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof UncaughtServletExceptionSink } } diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql index 9ab24bdb659c..8b300a082884 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql @@ -26,7 +26,7 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) { } module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink } diff --git a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql index f7a8c335f1a9..a758b86279d6 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql @@ -20,7 +20,7 @@ import XQueryInjectionFlow::PathGraph * A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution. */ module XQueryInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or diff --git a/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql b/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql index f2c31e566b8c..c6737a11c323 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql @@ -24,7 +24,7 @@ import NfeLocalDoSFlow::PathGraph */ module NfeLocalDoSConfig implements DataFlow::ConfigSig { /** Holds if source is a remote flow source */ - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } /** Holds if NFE is thrown but not caught */ predicate isSink(DataFlow::Node sink) { diff --git a/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql b/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql index 73dc7d8b30a0..9ef1e3867d2d 100644 --- a/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql +++ b/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql @@ -9,7 +9,7 @@ class TestRemoteFlowSource extends RemoteFlowSource { } module TaintFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node n) { n instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node n) { n instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node n) { exists(MethodCall ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument()) diff --git a/java/ql/test/library-tests/dataflow/threat-models/Test.qll b/java/ql/test/library-tests/dataflow/threat-models/Test.qll index a0d85680270c..742cea3dda6c 100644 --- a/java/ql/test/library-tests/dataflow/threat-models/Test.qll +++ b/java/ql/test/library-tests/dataflow/threat-models/Test.qll @@ -5,7 +5,7 @@ private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.TaintTracking private module ThreatModelConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) } } diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql index d7d94430486f..348956f24982 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql @@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { DefaultFlowConfig::isSource(node) or - node instanceof ThreatModelFlowSource + node instanceof ActiveThreatModelSource } predicate isSink = DefaultFlowConfig::isSink/1; diff --git a/java/ql/test/library-tests/frameworks/android/content-provider/test.ql b/java/ql/test/library-tests/frameworks/android/content-provider/test.ql index 8293f7f4ff4c..b83f43911bd3 100644 --- a/java/ql/test/library-tests/frameworks/android/content-provider/test.ql +++ b/java/ql/test/library-tests/frameworks/android/content-provider/test.ql @@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineFlowTest module ProviderTaintFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node n) { n instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node n) { n instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node n) { DefaultFlowConfig::isSink(n) } diff --git a/java/ql/test/library-tests/frameworks/android/external-storage/test.ql b/java/ql/test/library-tests/frameworks/android/external-storage/test.ql index 89a353eedc91..042f7b303900 100644 --- a/java/ql/test/library-tests/frameworks/android/external-storage/test.ql +++ b/java/ql/test/library-tests/frameworks/android/external-storage/test.ql @@ -4,7 +4,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineFlowTest module Config implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink.asExpr().(Argument).getCall().getCallee().hasName("sink") diff --git a/java/ql/test/library-tests/frameworks/android/slice/test.ql b/java/ql/test/library-tests/frameworks/android/slice/test.ql index 8540c0604a88..a8b467d1ba0b 100644 --- a/java/ql/test/library-tests/frameworks/android/slice/test.ql +++ b/java/ql/test/library-tests/frameworks/android/slice/test.ql @@ -5,7 +5,7 @@ import semmle.code.java.dataflow.FlowSources module SliceValueFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - DefaultFlowConfig::isSource(source) or source instanceof ThreatModelFlowSource + DefaultFlowConfig::isSource(source) or source instanceof ActiveThreatModelSource } predicate isSink = DefaultFlowConfig::isSink/1; diff --git a/java/ql/test/library-tests/frameworks/android/sources/OnActivityResultSourceTest.ql b/java/ql/test/library-tests/frameworks/android/sources/OnActivityResultSourceTest.ql index 9b067cd00dde..96d9523b2a5c 100644 --- a/java/ql/test/library-tests/frameworks/android/sources/OnActivityResultSourceTest.ql +++ b/java/ql/test/library-tests/frameworks/android/sources/OnActivityResultSourceTest.ql @@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineFlowTest module SourceValueFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { DefaultFlowConfig::isSink(sink) } diff --git a/java/ql/test/library-tests/frameworks/apache-http/flow.ql b/java/ql/test/library-tests/frameworks/apache-http/flow.ql index 2ca4eeafdb3d..b2f5b2d023b2 100644 --- a/java/ql/test/library-tests/frameworks/apache-http/flow.ql +++ b/java/ql/test/library-tests/frameworks/apache-http/flow.ql @@ -9,7 +9,7 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node n) { n.asExpr().(MethodCall).getMethod().hasName("taint") or - n instanceof ThreatModelFlowSource + n instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node n) { diff --git a/java/ql/test/library-tests/frameworks/guice/flow.ql b/java/ql/test/library-tests/frameworks/guice/flow.ql index 37a478bc3a72..629341a03838 100644 --- a/java/ql/test/library-tests/frameworks/guice/flow.ql +++ b/java/ql/test/library-tests/frameworks/guice/flow.ql @@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking module Config implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(MethodCall ma | diff --git a/java/ql/test/library-tests/frameworks/jms/FlowTest.ql b/java/ql/test/library-tests/frameworks/jms/FlowTest.ql index b203bc936821..b63aedbf9845 100644 --- a/java/ql/test/library-tests/frameworks/jms/FlowTest.ql +++ b/java/ql/test/library-tests/frameworks/jms/FlowTest.ql @@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineExpectationsTest module TestConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { exists(MethodCall call | diff --git a/java/ql/test/library-tests/frameworks/netty/manual/test.ql b/java/ql/test/library-tests/frameworks/netty/manual/test.ql index 70da9eb5f0f4..a4142390e85a 100644 --- a/java/ql/test/library-tests/frameworks/netty/manual/test.ql +++ b/java/ql/test/library-tests/frameworks/netty/manual/test.ql @@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { DefaultFlowConfig::isSource(node) or - node instanceof ThreatModelFlowSource + node instanceof ActiveThreatModelSource } predicate isSink = DefaultFlowConfig::isSink/1; diff --git a/java/ql/test/library-tests/frameworks/rabbitmq/FlowTest.ql b/java/ql/test/library-tests/frameworks/rabbitmq/FlowTest.ql index 2f3cf27cf7a2..0fdb21094387 100644 --- a/java/ql/test/library-tests/frameworks/rabbitmq/FlowTest.ql +++ b/java/ql/test/library-tests/frameworks/rabbitmq/FlowTest.ql @@ -4,7 +4,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineFlowTest module Config implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node node) { exists(MethodCall ma | ma.getMethod().hasName("sink") | node.asExpr() = ma.getAnArgument()) diff --git a/java/ql/test/library-tests/frameworks/ratpack/flow.ql b/java/ql/test/library-tests/frameworks/ratpack/flow.ql index ed8d3d23937a..2d5b5b2e4716 100644 --- a/java/ql/test/library-tests/frameworks/ratpack/flow.ql +++ b/java/ql/test/library-tests/frameworks/ratpack/flow.ql @@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node n) { n.asExpr().(MethodCall).getMethod().hasName("taint") or - n instanceof ThreatModelFlowSource + n instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node n) { diff --git a/java/ql/test/library-tests/frameworks/spring/controller/test.ql b/java/ql/test/library-tests/frameworks/spring/controller/test.ql index d8f6b13e8702..e85137dcd57a 100644 --- a/java/ql/test/library-tests/frameworks/spring/controller/test.ql +++ b/java/ql/test/library-tests/frameworks/spring/controller/test.ql @@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineFlowTest module ValueFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink.asExpr().(Argument).getCall().getCallee().hasName("sink")