Java: Deprecate the content of ArithmeticTaintedLocalQuery and remove the arithmetic tainted local query variant.

Author: michaelnebel

java/ql/lib/semmle/code/java/security/ArithmeticTaintedLocalQuery.qll

@@ -5,9 +5,11 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ArithmeticCommon
 
 /**
+ * DEPRECATED: Use `ArithmeticOverflowConfig` instead.
+ *
  * A taint-tracking configuration to reason about arithmetic overflow using local-user-controlled data.
  */
-module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
+deprecated module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
@@ -18,15 +20,17 @@ module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `ArithmeticOverflow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for arithmetic overflow using local-user-controlled data.
  */
-module ArithmeticTaintedLocalOverflowFlow =
+deprecated module ArithmeticTaintedLocalOverflowFlow =
   TaintTracking::Global<ArithmeticTaintedLocalOverflowConfig>;
 
 /**
  * A taint-tracking configuration to reason about arithmetic underflow using local-user-controlled data.
  */
-module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
+deprecated module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
@@ -37,7 +41,9 @@ module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `ArithmeticUnderflow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for arithmetic underflow using local-user-controlled data.
  */
-module ArithmeticTaintedLocalUnderflowFlow =
+deprecated module ArithmeticTaintedLocalUnderflowFlow =
   TaintTracking::Global<ArithmeticTaintedLocalUnderflowConfig>;

java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll

@@ -1,11 +1,11 @@
-/** Provides taint-tracking configurations to reason about arithmetic with unvalidated user input. */
+/** Provides taint-tracking configurations to reason about arithmetic with unvalidated input. */
 
 import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ArithmeticCommon
 
-/** A taint-tracking configuration to reason about overflow from unvalidated user input. */
-module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig {
+/** A taint-tracking configuration to reason about overflow from unvalidated input. */
+module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
@@ -15,8 +15,13 @@ module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
-/** A taint-tracking configuration to reason about underflow from unvalidated user input. */
-module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
+/**
+ * DEPRECATED: Use `ArithmeticOverflowConfig` instead.
+ */
+deprecated module RemoteUserInputOverflowConfig = ArithmeticOverflowConfig;
+
+/** A taint-tracking configuration to reason about underflow from unvalidated input. */
+module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
@@ -26,8 +31,23 @@ module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
-/** Taint-tracking flow for overflow from unvalidated user input. */
-module RemoteUserInputOverflow = TaintTracking::Global<RemoteUserInputOverflowConfig>;
+/**
+ * DEPRECATED: Use `ArithmeticUnderflowConfig` instead.
+ */
+deprecated module RemoteUserInputUnderflowConfig = ArithmeticUnderflowConfig;
+
+/** Taint-tracking flow for overflow from unvalidated input. */
+module ArithmeticOverflow = TaintTracking::Global<ArithmeticOverflowConfig>;
+
+/**
+ * DEPRECATED: Use `ArithmeticOverflow` instead.
+ */
+deprecated module RemoteUserInputOverflow = ArithmeticOverflow;
+
+/** Taint-tracking flow for underflow from unvalidated input. */
+module ArithmeticUnderflow = TaintTracking::Global<ArithmeticUnderflowConfig>;
 
-/** Taint-tracking flow for underflow from unvalidated user input. */
-module RemoteUserInputUnderflow = TaintTracking::Global<RemoteUserInputUnderflowConfig>;
+/**
+ * DEPRECATED: Use `ArithmeticUnderflow` instead.
+ */
+deprecated module RemoteUserInputUnderflow = ArithmeticUnderflow;

java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -18,18 +18,18 @@ import semmle.code.java.security.ArithmeticCommon
 import semmle.code.java.security.ArithmeticTaintedQuery
 
 module Flow =
-  DataFlow::MergePathGraph<RemoteUserInputOverflow::PathNode, RemoteUserInputUnderflow::PathNode,
-    RemoteUserInputOverflow::PathGraph, RemoteUserInputUnderflow::PathGraph>;
+  DataFlow::MergePathGraph<ArithmeticOverflow::PathNode, ArithmeticUnderflow::PathNode,
+    ArithmeticOverflow::PathGraph, ArithmeticUnderflow::PathGraph>;
 
 import Flow::PathGraph
 
 from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
 where
-  RemoteUserInputOverflow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
+  ArithmeticOverflow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
   overflowSink(exp, sink.getNode().asExpr()) and
   effect = "overflow"
   or
-  RemoteUserInputUnderflow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
+  ArithmeticUnderflow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
   underflowSink(exp, sink.getNode().asExpr()) and
   effect = "underflow"
 select exp, source, sink,

java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.qhelp

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql

@@ -0,0 +1 @@
+Security/CWE/CWE-190/ArithmeticTainted.ql