Merge pull request github#7660 from RasmusWL/deprecate-old-modeling

Python: Deprecate old points-to based modeling

Author: yoff

python/ql/lib/change-notes/2022-01-19-deprecate-old-library-modeling.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The old points-to based modeling has been deprecated. Use the new type-tracking/API-graphs based modeling instead.

python/ql/lib/semmle/python/Concepts.qll

@@ -534,7 +534,11 @@ class RegexEscaping extends Escaping {
 
 /** Provides classes for modeling HTTP-related APIs. */
 module HTTP {
-  import semmle.python.web.HttpConstants
+  /** Gets an HTTP verb, in upper case */
+  string httpVerb() { result in ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"] }
+
+  /** Gets an HTTP verb, in lower case */
+  string httpVerbLower() { result = httpVerb().toLowerCase() }
 
   /** Provides classes for modeling HTTP servers. */
   module Server {

python/ql/lib/semmle/python/security/ClearText.qll

@@ -4,7 +4,7 @@ import semmle.python.security.SensitiveData
 import semmle.python.dataflow.Files
 import semmle.python.web.Http
 
-module ClearTextStorage {
+deprecated module ClearTextStorage {
   abstract class Sink extends TaintSink {
     override predicate sinks(TaintKind kind) { kind instanceof SensitiveData }
   }
@@ -26,7 +26,7 @@ module ClearTextStorage {
   }
 }
 
-module ClearTextLogging {
+deprecated module ClearTextLogging {
   abstract class Sink extends TaintSink {
     override predicate sinks(TaintKind kind) { kind instanceof SensitiveData }
   }

python/ql/lib/semmle/python/security/Crypto.qll

@@ -3,12 +3,12 @@ import semmle.python.dataflow.TaintTracking
 private import semmle.python.security.SensitiveData
 private import semmle.crypto.Crypto as CryptoLib
 
-abstract class WeakCryptoSink extends TaintSink {
+abstract deprecated class WeakCryptoSink extends TaintSink {
   override predicate sinks(TaintKind taint) { taint instanceof SensitiveData }
 }
 
 /** Modeling the 'pycrypto' package https://github.com/dlitz/pycrypto (latest release 2013) */
-module Pycrypto {
+deprecated module Pycrypto {
   ModuleValue cipher(string name) { result = Module::named("Crypto.Cipher").attr(name) }
 
   class CipherInstance extends TaintKind {
@@ -58,7 +58,7 @@ module Pycrypto {
   }
 }
 
-module Cryptography {
+deprecated module Cryptography {
   ModuleValue ciphers() {
     result = Module::named("cryptography.hazmat.primitives.ciphers") and
     result.isPackage()
@@ -128,7 +128,7 @@ module Cryptography {
   }
 }
 
-private class CipherConfig extends TaintTracking::Configuration {
+deprecated private class CipherConfig extends TaintTracking::Configuration {
   CipherConfig() { this = "Crypto cipher config" }
 
   override predicate isSource(TaintTracking::Source source) {

python/ql/lib/semmle/python/security/Exceptions.qll

@@ -7,13 +7,15 @@ import python
 import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 
-private Value traceback_function(string name) { result = Module::named("traceback").attr(name) }
+deprecated private Value traceback_function(string name) {
+  result = Module::named("traceback").attr(name)
+}
 
 /**
  * This represents information relating to an exception, for instance the
  * message, arguments or parts of the exception traceback.
  */
-class ExceptionInfo extends StringKind {
+deprecated class ExceptionInfo extends StringKind {
   ExceptionInfo() { this = "exception.info" }
 
   override string repr() { result = "exception info" }
@@ -23,12 +25,12 @@ class ExceptionInfo extends StringKind {
  * A class representing sources of information about
  * execution state exposed in tracebacks and the like.
  */
-abstract class ErrorInfoSource extends TaintSource { }
+abstract deprecated class ErrorInfoSource extends TaintSource { }
 
 /**
  * This kind represents exceptions themselves.
  */
-class ExceptionKind extends TaintKind {
+deprecated class ExceptionKind extends TaintKind {
   ExceptionKind() { this = "exception.kind" }
 
   override string repr() { result = "exception" }
@@ -44,7 +46,7 @@ class ExceptionKind extends TaintKind {
  * A source of exception objects, either explicitly created, or captured by an
  * `except` statement.
  */
-class ExceptionSource extends ErrorInfoSource {
+deprecated class ExceptionSource extends ErrorInfoSource {
   ExceptionSource() {
     exists(ClassValue cls |
       cls.getASuperType() = ClassValue::baseException() and
@@ -63,15 +65,15 @@ class ExceptionSource extends ErrorInfoSource {
  * Represents a sequence of pieces of information relating to an exception,
  * for instance the contents of the `args` attribute, or the stack trace.
  */
-class ExceptionInfoSequence extends SequenceKind {
+deprecated class ExceptionInfoSequence extends SequenceKind {
   ExceptionInfoSequence() { this.getItem() instanceof ExceptionInfo }
 }
 
 /**
  * Represents calls to functions in the `traceback` module that return
  * sequences of exception information.
  */
-class CallToTracebackFunction extends ErrorInfoSource {
+deprecated class CallToTracebackFunction extends ErrorInfoSource {
   CallToTracebackFunction() {
     exists(string name |
       name in [
@@ -92,7 +94,7 @@ class CallToTracebackFunction extends ErrorInfoSource {
  * Represents calls to functions in the `traceback` module that return a single
  * string of information about an exception.
  */
-class FormattedTracebackSource extends ErrorInfoSource {
+deprecated class FormattedTracebackSource extends ErrorInfoSource {
   FormattedTracebackSource() { this = traceback_function("format_exc").getACall() }
 
   override string toString() { result = "exception.info.source" }

python/ql/lib/semmle/python/security/Paths.qll

@@ -1,6 +1,6 @@
 import semmle.python.dataflow.Implementation
 
-module TaintTrackingPaths {
+deprecated module TaintTrackingPaths {
   predicate edge(TaintTrackingNode src, TaintTrackingNode dest, string label) {
     exists(TaintTrackingNode source, TaintTrackingNode sink |
       source.getConfiguration().hasFlowPath(source, sink) and
@@ -11,6 +11,6 @@ module TaintTrackingPaths {
   }
 }
 
-query predicate edges(TaintTrackingNode fromnode, TaintTrackingNode tonode) {
+deprecated query predicate edges(TaintTrackingNode fromnode, TaintTrackingNode tonode) {
   TaintTrackingPaths::edge(fromnode, tonode, _)
 }

python/ql/lib/semmle/python/security/SensitiveData.qll

@@ -15,15 +15,15 @@ import semmle.python.web.HttpRequest
 import semmle.python.security.internal.SensitiveDataHeuristics
 private import HeuristicNames
 
-abstract class SensitiveData extends TaintKind {
+abstract deprecated class SensitiveData extends TaintKind {
   bindingset[this]
   SensitiveData() { this = this }
 
   /** Gets the classification of this sensitive data taint kind. */
   abstract SensitiveDataClassification getClassification();
 }
 
-module SensitiveData {
+deprecated module SensitiveData {
   class Secret extends SensitiveData {
     Secret() { this = "sensitive.data.secret" }
 
@@ -115,4 +115,4 @@ module SensitiveData {
 }
 
 //Backwards compatibility
-class SensitiveDataSource = SensitiveData::Source;
+deprecated class SensitiveDataSource = SensitiveData::Source;

python/ql/lib/semmle/python/security/flow/AnyCall.qll

@@ -2,7 +2,7 @@ import python
 import semmle.python.security.strings.Basic
 
 /** Assume that taint flows from argument to result for *any* call */
-class AnyCallStringFlow extends DataFlowExtension::DataFlowNode {
+deprecated class AnyCallStringFlow extends DataFlowExtension::DataFlowNode {
   AnyCallStringFlow() { any(CallNode call).getAnArg() = this }
 
   override ControlFlowNode getASuccessorNode() { result.(CallNode).getAnArg() = this }

python/ql/lib/semmle/python/security/injection/Command.qll

@@ -11,18 +11,18 @@ import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted
 
 /** Abstract taint sink that is potentially vulnerable to malicious shell commands. */
-abstract class CommandSink extends TaintSink { }
+abstract deprecated class CommandSink extends TaintSink { }
 
-private ModuleObject osOrPopenModule() { result.getName() = ["os", "popen2"] }
+deprecated private ModuleObject osOrPopenModule() { result.getName() = ["os", "popen2"] }
 
-private Object makeOsCall() {
+deprecated private Object makeOsCall() {
   exists(string name | result = ModuleObject::named("subprocess").attr(name) |
     name = ["Popen", "call", "check_call", "check_output", "run"]
   )
 }
 
 /**Special case for first element in sequence. */
-class FirstElementKind extends TaintKind {
+deprecated class FirstElementKind extends TaintKind {
   FirstElementKind() { this = "sequence[" + any(ExternalStringKind key) + "][0]" }
 
   override string repr() { result = "first item in sequence of " + this.getItem().repr() }
@@ -31,7 +31,7 @@ class FirstElementKind extends TaintKind {
   ExternalStringKind getItem() { this = "sequence[" + result + "][0]" }
 }
 
-class FirstElementFlow extends DataFlowExtension::DataFlowNode {
+deprecated class FirstElementFlow extends DataFlowExtension::DataFlowNode {
   FirstElementFlow() { this = any(SequenceNode s).getElement(0) }
 
   override ControlFlowNode getASuccessorNode(TaintKind fromkind, TaintKind tokind) {
@@ -43,7 +43,7 @@ class FirstElementFlow extends DataFlowExtension::DataFlowNode {
  * A taint sink that is potentially vulnerable to malicious shell commands.
  * The `vuln` in `subprocess.call(shell=vuln)` and similar calls.
  */
-class ShellCommand extends CommandSink {
+deprecated class ShellCommand extends CommandSink {
   override string toString() { result = "shell command" }
 
   ShellCommand() {
@@ -81,7 +81,7 @@ class ShellCommand extends CommandSink {
  * A taint sink that is potentially vulnerable to malicious shell commands.
  * The `vuln` in `subprocess.call(vuln, ...)` and similar calls.
  */
-class OsCommandFirstArgument extends CommandSink {
+deprecated class OsCommandFirstArgument extends CommandSink {
   override string toString() { result = "OS command first argument" }
 
   OsCommandFirstArgument() {
@@ -111,7 +111,7 @@ class OsCommandFirstArgument extends CommandSink {
  * A taint sink that is potentially vulnerable to malicious shell commands.
  * The `vuln` in `invoke.run(vuln, ...)` and similar calls.
  */
-class InvokeRun extends CommandSink {
+deprecated class InvokeRun extends CommandSink {
   InvokeRun() {
     this = Value::named("invoke.run").(FunctionValue).getArgumentForCall(_, 0)
     or
@@ -127,12 +127,12 @@ class InvokeRun extends CommandSink {
  * Internal TaintKind to track the invoke.Context instance passed to functions
  * marked with @invoke.task
  */
-private class InvokeContextArg extends TaintKind {
+deprecated private class InvokeContextArg extends TaintKind {
   InvokeContextArg() { this = "InvokeContextArg" }
 }
 
 /** Internal TaintSource to track the context passed to functions marked with @invoke.task */
-private class InvokeContextArgSource extends TaintSource {
+deprecated private class InvokeContextArgSource extends TaintSource {
   InvokeContextArgSource() {
     exists(Function f, Expr decorator |
       count(f.getADecorator()) = 1 and
@@ -158,7 +158,7 @@ private class InvokeContextArgSource extends TaintSource {
  * A taint sink that is potentially vulnerable to malicious shell commands.
  * The `vuln` in `invoke.Context().run(vuln, ...)` and similar calls.
  */
-class InvokeContextRun extends CommandSink {
+deprecated class InvokeContextRun extends CommandSink {
   InvokeContextRun() {
     exists(CallNode call |
       any(InvokeContextArg k).taints(call.getFunction().(AttrNode).getObject("run"))
@@ -187,7 +187,7 @@ class InvokeContextRun extends CommandSink {
  * A taint sink that is potentially vulnerable to malicious shell commands.
  * The `vuln` in `fabric.Group().run(vuln, ...)` and similar calls.
  */
-class FabricGroupRun extends CommandSink {
+deprecated class FabricGroupRun extends CommandSink {
   FabricGroupRun() {
     exists(ClassValue cls |
       cls.getASuperType() = Value::named("fabric.Group") and
@@ -203,7 +203,7 @@ class FabricGroupRun extends CommandSink {
 // -------------------------------------------------------------------------- //
 // Modeling of the 'invoke' package and 'fabric' package (v 1.x)
 // -------------------------------------------------------------------------- //
-class FabricV1Commands extends CommandSink {
+deprecated class FabricV1Commands extends CommandSink {
   FabricV1Commands() {
     // since `run` and `sudo` are decorated, we can't use FunctionValue's :(
     exists(CallNode call |
@@ -228,7 +228,7 @@ class FabricV1Commands extends CommandSink {
  * An extension that propagates taint from the arguments of `fabric.api.execute(func, arg0, arg1, ...)`
  * to the parameters of `func`, since this will call `func(arg0, arg1, ...)`.
  */
-class FabricExecuteExtension extends DataFlowExtension::DataFlowNode {
+deprecated class FabricExecuteExtension extends DataFlowExtension::DataFlowNode {
   CallNode call;
 
   FabricExecuteExtension() {

python/ql/lib/semmle/python/security/injection/Deserialization.qll

@@ -2,7 +2,7 @@ import python
 import semmle.python.dataflow.TaintTracking
 
 /** `pickle.loads(untrusted)` vulnerability. */
-abstract class DeserializationSink extends TaintSink {
+abstract deprecated class DeserializationSink extends TaintSink {
   bindingset[this]
   DeserializationSink() { this = this }
 }