Python: deprecate old taint-tracking related predicates

Author: RasmusWL

python/ql/lib/semmle/python/security/Paths.qll

@@ -1,6 +1,6 @@
 import semmle.python.dataflow.Implementation
 
-module TaintTrackingPaths {
+deprecated module TaintTrackingPaths {
   predicate edge(TaintTrackingNode src, TaintTrackingNode dest, string label) {
     exists(TaintTrackingNode source, TaintTrackingNode sink |
       source.getConfiguration().hasFlowPath(source, sink) and
@@ -11,6 +11,6 @@ module TaintTrackingPaths {
   }
 }
 
-query predicate edges(TaintTrackingNode fromnode, TaintTrackingNode tonode) {
+deprecated query predicate edges(TaintTrackingNode fromnode, TaintTrackingNode tonode) {
   TaintTrackingPaths::edge(fromnode, tonode, _)
 }

python/ql/lib/semmle/python/security/flow/AnyCall.qll

@@ -2,7 +2,7 @@ import python
 import semmle.python.security.strings.Basic
 
 /** Assume that taint flows from argument to result for *any* call */
-class AnyCallStringFlow extends DataFlowExtension::DataFlowNode {
+deprecated class AnyCallStringFlow extends DataFlowExtension::DataFlowNode {
   AnyCallStringFlow() { any(CallNode call).getAnArg() = this }
 
   override ControlFlowNode getASuccessorNode() { result.(CallNode).getAnArg() = this }

python/ql/lib/semmle/python/security/strings/Basic.qll

@@ -3,7 +3,7 @@ private import Common
 import semmle.python.dataflow.TaintTracking
 
 /** An extensible kind of taint representing any kind of string. */
-abstract class StringKind extends TaintKind {
+abstract deprecated class StringKind extends TaintKind {
   bindingset[this]
   StringKind() { this = this }
 
@@ -42,7 +42,7 @@ abstract class StringKind extends TaintKind {
   }
 }
 
-private class StringEqualitySanitizer extends Sanitizer {
+deprecated private class StringEqualitySanitizer extends Sanitizer {
   StringEqualitySanitizer() { this = "string equality sanitizer" }
 
   /** The test `if untrusted == "KNOWN_VALUE":` sanitizes `untrusted` on its `true` edge. */
@@ -64,13 +64,13 @@ private class StringEqualitySanitizer extends Sanitizer {
 }
 
 /** tonode = ....format(fromnode) */
-private predicate str_format(ControlFlowNode fromnode, CallNode tonode) {
+deprecated private predicate str_format(ControlFlowNode fromnode, CallNode tonode) {
   tonode.getFunction().(AttrNode).getName() = "format" and
   tonode.getAnArg() = fromnode
 }
 
 /** tonode = codec.[en|de]code(fromnode) */
-private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) {
+deprecated private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) {
   exists(FunctionObject func, string name |
     not func.getFunction().isMethod() and
     func.getACall() = tonode and
@@ -84,7 +84,7 @@ private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) {
 }
 
 /** tonode = str(fromnode) */
-private predicate to_str(ControlFlowNode fromnode, CallNode tonode) {
+deprecated private predicate to_str(ControlFlowNode fromnode, CallNode tonode) {
   tonode.getAnArg() = fromnode and
   (
     tonode = ClassValue::bytes().getACall()
@@ -94,7 +94,7 @@ private predicate to_str(ControlFlowNode fromnode, CallNode tonode) {
 }
 
 /** tonode = fromnode[:] */
-private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) {
+deprecated private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) {
   exists(Slice all |
     all = tonode.getIndex().getNode() and
     not exists(all.getStart()) and
@@ -104,13 +104,13 @@ private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) {
 }
 
 /** tonode = os.path.join(..., fromnode, ...) */
-private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
+deprecated private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
   tonode = Value::named("os.path.join").getACall() and
   tonode.getAnArg() = fromnode
 }
 
 /** tonode = f"... {fromnode} ..." */
-private predicate f_string(ControlFlowNode fromnode, ControlFlowNode tonode) {
+deprecated private predicate f_string(ControlFlowNode fromnode, ControlFlowNode tonode) {
   tonode.getNode().(Fstring).getAValue() = fromnode.getNode()
 }
 
@@ -119,6 +119,6 @@ private predicate f_string(ControlFlowNode fromnode, ControlFlowNode tonode) {
  *
  * DEPRECATED: Use `ExternalStringDictKind` instead.
  */
-deprecated class StringDictKind extends DictKind {
+deprecated deprecated class StringDictKind extends DictKind {
   StringDictKind() { this.getValue() instanceof StringKind }
 }

python/ql/lib/semmle/python/security/strings/Common.qll

@@ -1,7 +1,7 @@
 import python
 
 /* A call that returns a copy (or similar) of the argument */
-predicate copy_call(ControlFlowNode fromnode, CallNode tonode) {
+deprecated predicate copy_call(ControlFlowNode fromnode, CallNode tonode) {
   tonode.getFunction().(AttrNode).getObject("copy") = fromnode
   or
   exists(ModuleValue copy, string name | name = "copy" or name = "deepcopy" |

python/ql/lib/semmle/python/security/strings/External.qll

@@ -5,7 +5,7 @@ private import Common
 /**
  * An extensible kind of taint representing an externally controlled string.
  */
-abstract class ExternalStringKind extends StringKind {
+abstract deprecated class ExternalStringKind extends StringKind {
   bindingset[this]
   ExternalStringKind() { this = this }
 
@@ -30,15 +30,15 @@ abstract class ExternalStringKind extends StringKind {
 }
 
 /** A kind of "taint", representing a sequence, with a "taint" member */
-class ExternalStringSequenceKind extends SequenceKind {
+deprecated class ExternalStringSequenceKind extends SequenceKind {
   ExternalStringSequenceKind() { this.getItem() instanceof ExternalStringKind }
 }
 
 /**
  * An hierachical dictionary or list where the entire structure is externally controlled
  * This is typically a parsed JSON object.
  */
-class ExternalJsonKind extends TaintKind {
+deprecated class ExternalJsonKind extends TaintKind {
   ExternalJsonKind() { this = "json[" + any(ExternalStringKind key) + "]" }
 
   /** Gets the taint kind for item in this sequence */
@@ -61,20 +61,20 @@ class ExternalJsonKind extends TaintKind {
 }
 
 /** A kind of "taint", representing a dictionary mapping keys to tainted strings. */
-class ExternalStringDictKind extends DictKind {
+deprecated class ExternalStringDictKind extends DictKind {
   ExternalStringDictKind() { this.getValue() instanceof ExternalStringKind }
 }
 
 /**
  * A kind of "taint", representing a dictionary mapping keys to sequences of
  *  tainted strings.
  */
-class ExternalStringSequenceDictKind extends DictKind {
+deprecated class ExternalStringSequenceDictKind extends DictKind {
   ExternalStringSequenceDictKind() { this.getValue() instanceof ExternalStringSequenceKind }
 }
 
 /** TaintKind for the result of `urlsplit(tainted_string)` */
-class ExternalUrlSplitResult extends ExternalStringSequenceKind {
+deprecated class ExternalUrlSplitResult extends ExternalStringSequenceKind {
   // https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlsplit
   override TaintKind getTaintOfAttribute(string name) {
     result = super.getTaintOfAttribute(name)
@@ -103,7 +103,7 @@ class ExternalUrlSplitResult extends ExternalStringSequenceKind {
 }
 
 /** TaintKind for the result of `urlparse(tainted_string)` */
-class ExternalUrlParseResult extends ExternalStringSequenceKind {
+deprecated class ExternalUrlParseResult extends ExternalStringSequenceKind {
   // https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse
   override TaintKind getTaintOfAttribute(string name) {
     result = super.getTaintOfAttribute(name)
@@ -134,20 +134,20 @@ class ExternalUrlParseResult extends ExternalStringSequenceKind {
 
 /* Helper for getTaintForStep() */
 pragma[noinline]
-private predicate json_subscript_taint(
+deprecated deprecated private predicate json_subscript_taint(
   SubscriptNode sub, ControlFlowNode obj, ExternalJsonKind seq, TaintKind key
 ) {
   sub.isLoad() and
   sub.getObject() = obj and
   key = seq.getValue()
 }
 
-private predicate json_load(ControlFlowNode fromnode, CallNode tonode) {
+deprecated private predicate json_load(ControlFlowNode fromnode, CallNode tonode) {
   tonode = Value::named("json.loads").getACall() and
   tonode.getArg(0) = fromnode
 }
 
-private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) {
+deprecated private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) {
   // This could be implemented as `exists(FunctionValue` without the explicit six part,
   // but then our tests will need to import +100 modules, so for now this slightly
   // altered version gets to live on.
@@ -166,7 +166,7 @@ private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) {
   )
 }
 
-private predicate urlparse(ControlFlowNode fromnode, CallNode tonode) {
+deprecated private predicate urlparse(ControlFlowNode fromnode, CallNode tonode) {
   // This could be implemented as `exists(FunctionValue` without the explicit six part,
   // but then our tests will need to import +100 modules, so for now this slightly
   // altered version gets to live on.
@@ -185,7 +185,7 @@ private predicate urlparse(ControlFlowNode fromnode, CallNode tonode) {
   )
 }
 
-private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) {
+deprecated private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) {
   // This could be implemented as `exists(FunctionValue` without the explicit six part,
   // but then our tests will need to import +100 modules, so for now this slightly
   // altered version gets to live on.
@@ -211,7 +211,7 @@ private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) {
   )
 }
 
-private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) {
+deprecated private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) {
   // This could be implemented as `exists(FunctionValue` without the explicit six part,
   // but then our tests will need to import +100 modules, so for now this slightly
   // altered version gets to live on.
@@ -238,7 +238,7 @@ private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) {
 }
 
 /** A kind of "taint", representing an open file-like object from an external source. */
-class ExternalFileObject extends TaintKind {
+deprecated class ExternalFileObject extends TaintKind {
   ExternalStringKind valueKind;
 
   ExternalFileObject() { this = "file[" + valueKind + "]" }
@@ -266,7 +266,7 @@ class ExternalFileObject extends TaintKind {
  * - `if splitres.netloc == "KNOWN_VALUE"`
  * - `if splitres[0] == "KNOWN_VALUE"`
  */
-class UrlsplitUrlparseTempSanitizer extends Sanitizer {
+deprecated class UrlsplitUrlparseTempSanitizer extends Sanitizer {
   // TODO: remove this once we have better support for named tuples
   UrlsplitUrlparseTempSanitizer() { this = "UrlsplitUrlparseTempSanitizer" }
 

python/ql/lib/semmle/python/security/strings/Untrusted.qll

@@ -5,6 +5,6 @@ import External
  * A kind of taint representing an externally controlled string.
  * This class is a simple sub-class of `ExternalStringKind`.
  */
-class UntrustedStringKind extends ExternalStringKind {
+deprecated class UntrustedStringKind extends ExternalStringKind {
   UntrustedStringKind() { this = "externally controlled string" }
 }