Merge pull request github#7659 from RasmusWL/move-regex-injection-files

Python: Move regex injection configuration files

Author: yoff

python/ql/lib/change-notes/2022-01-19-move-regex-injection.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* Moved the files defining regex injection configuration and customization, instead of `import semmle.python.security.injection.RegexInjection` please use `import semmle.python.security.dataflow.RegexInjection` (the same for `RegexInjectionCustomizations`).

python/ql/lib/semmle/python/security/dataflow/RegexInjection.qll

@@ -0,0 +1,37 @@
+/**
+ * Provides a taint-tracking configuration for detecting regular expression injection
+ * vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `RegexInjection::Configuration` is needed, otherwise
+ * `RegexInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+
+/**
+ * Provides a taint-tracking configuration for detecting regular expression injection
+ * vulnerabilities.
+ */
+module RegexInjection {
+  import RegexInjectionCustomizations::RegexInjection
+
+  /**
+   * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "RegexInjection" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
+  }
+}

python/ql/lib/semmle/python/security/dataflow/RegexInjectionCustomizations.qll

@@ -0,0 +1,62 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "regular expression injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "regular expression injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module RegexInjection {
+  /**
+   * A data flow source for "regular expression injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A sink for "regular expression injection" vulnerabilities is the execution of a regular expression.
+   * If you have a custom way to execute regular expressions, you can extend `RegexExecution::Range`.
+   */
+  class Sink extends DataFlow::Node {
+    RegexExecution regexExecution;
+
+    Sink() { this = regexExecution.getRegex() }
+
+    /** Gets the call that executes the regular expression marked by this sink. */
+    RegexExecution getRegexExecution() { result = regexExecution }
+  }
+
+  /**
+   * A sanitizer for "regular expression injection" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for "regular expression injection" vulnerabilities.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A regex escaping, considered as a sanitizer.
+   */
+  class RegexEscapingAsSanitizer extends Sanitizer {
+    RegexEscapingAsSanitizer() {
+      // Due to use-use flow, we want the output rather than an input
+      // (so the input can still flow to other sinks).
+      this = any(RegexEscaping esc).getOutput()
+    }
+  }
+}

python/ql/lib/semmle/python/security/injection/RegexInjection.qll

@@ -1,37 +1,6 @@
-/**
- * Provides a taint-tracking configuration for detecting regular expression injection
- * vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `RegexInjection::Configuration` is needed, otherwise
- * `RegexInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED: use semmle.python.security.dataflow.RegexInjection instead. */
 
-private import python
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.security.dataflow.RegexInjection as New
 
-/**
- * Provides a taint-tracking configuration for detecting regular expression injection
- * vulnerabilities.
- */
-module RegexInjection {
-  import RegexInjectionCustomizations::RegexInjection
-
-  /**
-   * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "RegexInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
-}
+/** DEPRECATED: use semmle.python.security.dataflow.RegexInjection instead. */
+deprecated module RegexInjection = New::RegexInjection;

python/ql/lib/semmle/python/security/injection/RegexInjectionCustomizations.qll

@@ -1,62 +1,6 @@
-/**
- * Provides default sources, sinks and sanitizers for detecting
- * "regular expression injection"
- * vulnerabilities, as well as extension points for adding your own.
- */
+/** DEPRECATED: use semmle.python.security.dataflow.RegexInjectionCustomizations instead. */
 
-private import python
-private import semmle.python.Concepts
-private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.dataflow.new.TaintTracking
-private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.security.dataflow.RegexInjectionCustomizations as New
 
-/**
- * Provides default sources, sinks and sanitizers for detecting
- * "regular expression injection"
- * vulnerabilities, as well as extension points for adding your own.
- */
-module RegexInjection {
-  /**
-   * A data flow source for "regular expression injection" vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A sink for "regular expression injection" vulnerabilities is the execution of a regular expression.
-   * If you have a custom way to execute regular expressions, you can extend `RegexExecution::Range`.
-   */
-  class Sink extends DataFlow::Node {
-    RegexExecution regexExecution;
-
-    Sink() { this = regexExecution.getRegex() }
-
-    /** Gets the call that executes the regular expression marked by this sink. */
-    RegexExecution getRegexExecution() { result = regexExecution }
-  }
-
-  /**
-   * A sanitizer for "regular expression injection" vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
-
-  /**
-   * A sanitizer guard for "regular expression injection" vulnerabilities.
-   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
-
-  /**
-   * A source of remote user input, considered as a flow source.
-   */
-  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
-
-  /**
-   * A regex escaping, considered as a sanitizer.
-   */
-  class RegexEscapingAsSanitizer extends Sanitizer {
-    RegexEscapingAsSanitizer() {
-      // Due to use-use flow, we want the output rather than an input
-      // (so the input can still flow to other sinks).
-      this = any(RegexEscaping esc).getOutput()
-    }
-  }
-}
+/** DEPRECATED: use semmle.python.security.dataflow.RegexInjectionCustomizations instead. */
+deprecated module RegexInjection = New::RegexInjection;

python/ql/src/Security/CWE-730/RegexInjection.ql

@@ -14,7 +14,7 @@
 
 import python
 private import semmle.python.Concepts
-import semmle.python.security.injection.RegexInjection
+import semmle.python.security.dataflow.RegexInjection
 import DataFlow::PathGraph
 
 from