Python: Deprecate old web modeling

Author: RasmusWL

python/ql/lib/semmle/python/web/Http.qll

@@ -4,13 +4,13 @@ import semmle.python.security.strings.External
 import HttpConstants
 
 /** Generic taint source from a http request */
-abstract class HttpRequestTaintSource extends TaintSource { }
+abstract deprecated class HttpRequestTaintSource extends TaintSource { }
 
 /**
  * Taint kind representing the WSGI environment.
  * As specified in PEP 3333. https://www.python.org/dev/peps/pep-3333/#environ-variables
  */
-class WsgiEnvironment extends TaintKind {
+deprecated class WsgiEnvironment extends TaintKind {
   WsgiEnvironment() { this = "wsgi.environment" }
 
   override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
@@ -43,7 +43,7 @@ class WsgiEnvironment extends TaintKind {
  * A standard morsel object from a HTTP request, a value in a cookie,
  * typically an instance of `http.cookies.Morsel`
  */
-class UntrustedMorsel extends TaintKind {
+deprecated class UntrustedMorsel extends TaintKind {
   UntrustedMorsel() { this = "http.Morsel" }
 
   override TaintKind getTaintOfAttribute(string name) {
@@ -53,7 +53,7 @@ class UntrustedMorsel extends TaintKind {
 }
 
 /** A standard cookie object from a HTTP request, typically an instance of `http.cookies.SimpleCookie` */
-class UntrustedCookie extends TaintKind {
+deprecated class UntrustedCookie extends TaintKind {
   UntrustedCookie() { this = "http.Cookie" }
 
   override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
@@ -62,7 +62,7 @@ class UntrustedCookie extends TaintKind {
   }
 }
 
-abstract class CookieOperation extends @py_flow_node {
+abstract deprecated class CookieOperation extends @py_flow_node {
   /** Gets a textual representation of this element. */
   abstract string toString();
 
@@ -71,20 +71,20 @@ abstract class CookieOperation extends @py_flow_node {
   abstract ControlFlowNode getValue();
 }
 
-abstract class CookieGet extends CookieOperation { }
+abstract deprecated class CookieGet extends CookieOperation { }
 
-abstract class CookieSet extends CookieOperation { }
+abstract deprecated class CookieSet extends CookieOperation { }
 
 /** Generic taint sink in a http response */
-abstract class HttpResponseTaintSink extends TaintSink {
+abstract deprecated class HttpResponseTaintSink extends TaintSink {
   override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
 }
 
-abstract class HttpRedirectTaintSink extends TaintSink {
+abstract deprecated class HttpRedirectTaintSink extends TaintSink {
   override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
 }
 
-module Client {
+deprecated module Client {
   // TODO: user-input in other than URL:
   // - `data`, `json` for `requests.post`
   // - `body` for `HTTPConnection.request`

python/ql/lib/semmle/python/web/HttpConstants.qll

@@ -1,5 +1,7 @@
 /** Gets an HTTP verb, in upper case */
-string httpVerb() { result in ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"] }
+deprecated string httpVerb() {
+  result in ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"]
+}
 
 /** Gets an HTTP verb, in lower case */
-string httpVerbLower() { result = httpVerb().toLowerCase() }
+deprecated string httpVerbLower() { result = httpVerb().toLowerCase() }

python/ql/lib/semmle/python/web/bottle/General.qll

@@ -3,16 +3,16 @@ import semmle.python.web.Http
 import semmle.python.types.Extensions
 
 /** The bottle module */
-ModuleValue theBottleModule() { result = Module::named("bottle") }
+deprecated ModuleValue theBottleModule() { result = Module::named("bottle") }
 
 /** The bottle.Bottle class */
-ClassValue theBottleClass() { result = theBottleModule().attr("Bottle") }
+deprecated ClassValue theBottleClass() { result = theBottleModule().attr("Bottle") }
 
 /**
  * Holds if `route` is routed to `func`
  * by decorating `func` with `app.route(route)` or `route(route)`
  */
-predicate bottle_route(CallNode route_call, ControlFlowNode route, Function func) {
+deprecated predicate bottle_route(CallNode route_call, ControlFlowNode route, Function func) {
   exists(CallNode decorator_call, string name |
     route_call.getFunction().(AttrNode).getObject(name).pointsTo().getClass() = theBottleClass() or
     route_call.getFunction().pointsTo(theBottleModule().attr(name))
@@ -24,7 +24,7 @@ predicate bottle_route(CallNode route_call, ControlFlowNode route, Function func
   )
 }
 
-class BottleRoute extends ControlFlowNode {
+deprecated class BottleRoute extends ControlFlowNode {
   BottleRoute() { bottle_route(this, _, _) }
 
   string getUrl() {

python/ql/lib/semmle/python/web/bottle/Redirect.qll

@@ -9,12 +9,12 @@ import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.bottle.General
 
-FunctionValue bottle_redirect() { result = theBottleModule().attr("redirect") }
+deprecated FunctionValue bottle_redirect() { result = theBottleModule().attr("redirect") }
 
 /**
  * Represents an argument to the `bottle.redirect` function.
  */
-class BottleRedirect extends TaintSink {
+deprecated class BottleRedirect extends TaintSink {
   override string toString() { result = "bottle.redirect" }
 
   BottleRedirect() {

python/ql/lib/semmle/python/web/bottle/Request.qll

@@ -4,9 +4,9 @@ import semmle.python.security.strings.External
 import semmle.python.web.Http
 import semmle.python.web.bottle.General
 
-private Value theBottleRequestObject() { result = theBottleModule().attr("request") }
+deprecated private Value theBottleRequestObject() { result = theBottleModule().attr("request") }
 
-class BottleRequestKind extends TaintKind {
+deprecated class BottleRequestKind extends TaintKind {
   BottleRequestKind() { this = "bottle.request" }
 
   override TaintKind getTaintOfAttribute(string name) {
@@ -21,13 +21,13 @@ class BottleRequestKind extends TaintKind {
   }
 }
 
-private class RequestSource extends HttpRequestTaintSource {
+deprecated private class RequestSource extends HttpRequestTaintSource {
   RequestSource() { this.(ControlFlowNode).pointsTo(theBottleRequestObject()) }
 
   override predicate isSourceOf(TaintKind kind) { kind instanceof BottleRequestKind }
 }
 
-class BottleFormsDict extends TaintKind {
+deprecated class BottleFormsDict extends TaintKind {
   BottleFormsDict() { this = "bottle.FormsDict" }
 
   override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
@@ -48,7 +48,7 @@ class BottleFormsDict extends TaintKind {
   }
 }
 
-class FileUpload extends TaintKind {
+deprecated class FileUpload extends TaintKind {
   FileUpload() { this = "bottle.FileUpload" }
 
   override TaintKind getTaintOfAttribute(string name) {
@@ -60,7 +60,7 @@ class FileUpload extends TaintKind {
   }
 }
 
-class UntrustedFile extends TaintKind {
+deprecated class UntrustedFile extends TaintKind {
   UntrustedFile() { this = "Untrusted file" }
 }
 
@@ -69,7 +69,7 @@ class UntrustedFile extends TaintKind {
 //  Move UntrustedFile to shared location
 //
 /** Parameter to a bottle request handler function */
-class BottleRequestParameter extends HttpRequestTaintSource {
+deprecated class BottleRequestParameter extends HttpRequestTaintSource {
   BottleRequestParameter() {
     exists(BottleRoute route | route.getANamedArgument() = this.(ControlFlowNode).getNode())
   }

python/ql/lib/semmle/python/web/bottle/Response.qll

@@ -9,13 +9,13 @@ import semmle.python.web.bottle.General
  * This isn't really a "taint", but we use the value tracking machinery to
  * track the flow of response objects.
  */
-class BottleResponse extends TaintKind {
+deprecated class BottleResponse extends TaintKind {
   BottleResponse() { this = "bottle.response" }
 }
 
-private Value theBottleResponseObject() { result = theBottleModule().attr("response") }
+deprecated private Value theBottleResponseObject() { result = theBottleModule().attr("response") }
 
-class BottleResponseBodyAssignment extends HttpResponseTaintSink {
+deprecated class BottleResponseBodyAssignment extends HttpResponseTaintSink {
   BottleResponseBodyAssignment() {
     exists(DefinitionNode lhs |
       lhs.getValue() = this and
@@ -26,7 +26,7 @@ class BottleResponseBodyAssignment extends HttpResponseTaintSink {
   override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 }
 
-class BottleHandlerFunctionResult extends HttpResponseTaintSink {
+deprecated class BottleHandlerFunctionResult extends HttpResponseTaintSink {
   BottleHandlerFunctionResult() {
     exists(BottleRoute route, Return ret |
       ret.getScope() = route.getFunction() and
@@ -39,7 +39,7 @@ class BottleHandlerFunctionResult extends HttpResponseTaintSink {
   override string toString() { result = "bottle handler function result" }
 }
 
-class BottleCookieSet extends CookieSet, CallNode {
+deprecated class BottleCookieSet extends CookieSet, CallNode {
   BottleCookieSet() {
     any(BottleResponse r).taints(this.getFunction().(AttrNode).getObject("set_cookie"))
   }

python/ql/lib/semmle/python/web/cherrypy/General.qll

@@ -1,19 +1,19 @@
 import python
 import semmle.python.web.Http
 
-module CherryPy {
+deprecated module CherryPy {
   FunctionValue expose() { result = Value::named("cherrypy.expose") }
 }
 
-class CherryPyExposedFunction extends Function {
+deprecated class CherryPyExposedFunction extends Function {
   CherryPyExposedFunction() {
     this.getADecorator().pointsTo(CherryPy::expose())
     or
     this.getADecorator().(Call).getFunc().pointsTo(CherryPy::expose())
   }
 }
 
-class CherryPyRoute extends CallNode {
+deprecated class CherryPyRoute extends CallNode {
   CherryPyRoute() {
     /* cherrypy.quickstart(root, script_name, config) */
     Value::named("cherrypy.quickstart").(FunctionValue).getACall() = this

python/ql/lib/semmle/python/web/cherrypy/Request.qll

@@ -5,7 +5,7 @@ import semmle.python.web.Http
 import semmle.python.web.cherrypy.General
 
 /** The cherrypy.request local-proxy object */
-class CherryPyRequest extends TaintKind {
+deprecated class CherryPyRequest extends TaintKind {
   CherryPyRequest() { this = "cherrypy.request" }
 
   override TaintKind getTaintOfAttribute(string name) {
@@ -20,7 +20,7 @@ class CherryPyRequest extends TaintKind {
   }
 }
 
-class CherryPyExposedFunctionParameter extends HttpRequestTaintSource {
+deprecated class CherryPyExposedFunctionParameter extends HttpRequestTaintSource {
   CherryPyExposedFunctionParameter() {
     exists(Parameter p |
       p = any(CherryPyExposedFunction f).getAnArg() and
@@ -34,7 +34,7 @@ class CherryPyExposedFunctionParameter extends HttpRequestTaintSource {
   override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
 }
 
-class CherryPyRequestSource extends HttpRequestTaintSource {
+deprecated class CherryPyRequestSource extends HttpRequestTaintSource {
   CherryPyRequestSource() { this.(ControlFlowNode).pointsTo(Value::named("cherrypy.request")) }
 
   override predicate isSourceOf(TaintKind kind) { kind instanceof CherryPyRequest }

python/ql/lib/semmle/python/web/cherrypy/Response.qll

@@ -4,7 +4,7 @@ import semmle.python.security.strings.Untrusted
 import semmle.python.web.Http
 import semmle.python.web.cherrypy.General
 
-class CherryPyExposedFunctionResult extends HttpResponseTaintSink {
+deprecated class CherryPyExposedFunctionResult extends HttpResponseTaintSink {
   CherryPyExposedFunctionResult() {
     exists(Return ret |
       ret.getScope() instanceof CherryPyExposedFunction and

python/ql/lib/semmle/python/web/client/Requests.qll

@@ -6,7 +6,7 @@
 import python
 private import semmle.python.web.Http
 
-class RequestsHttpRequest extends Client::HttpRequest, CallNode {
+deprecated class RequestsHttpRequest extends Client::HttpRequest, CallNode {
   CallableValue func;
   string method;