Java: Deprecate the local content of CommandLineQuery and remove the exec tainted local query variant.

Author: michaelnebel

java/ql/automodel/src/AutomodelAlertSinkUtil.qll

@@ -159,11 +159,7 @@ predicate sinkModelTallyPerQuery(string queryName, int alertCount, SinkModel sin
   SinkTallier<RequestForgeryConfig>::getSinkModelCount(alertCount, sinkModel)
   or
   queryName = "java/command-line-injection" and
-  exists(int c1, int c2 |
-    SinkTallier<RemoteUserInputToArgumentToExecFlowConfig>::getSinkModelCount(c1, sinkModel) and
-    SinkTallier<LocalUserInputToArgumentToExecFlowConfig>::getSinkModelCount(c2, sinkModel) and
-    alertCount = c1 + c2
-  )
+  SinkTallier<InputToArgumentToExecFlowConfig>::getSinkModelCount(alertCount, sinkModel)
   or
   queryName = "java/concatenated-sql-query" and
   SinkTallier<UncontrolledStringBuilderSourceFlowConfig>::getSinkModelCount(alertCount, sinkModel)

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -48,7 +48,7 @@ private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer
 /**
  * A taint-tracking configuration for unvalidated user input that is used to run an external process.
  */
-module RemoteUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
+module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
@@ -61,15 +61,24 @@ module RemoteUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig
 }
 
 /**
- * Taint-tracking flow for unvalidated user input that is used to run an external process.
+ * DEPRECATED: Use `InputToArgumentToExecFlowConfig` instead.
  */
-module RemoteUserInputToArgumentToExecFlow =
-  TaintTracking::Global<RemoteUserInputToArgumentToExecFlowConfig>;
+deprecated module RemoteUserInputToArgumentToExecFlowConfig = InputToArgumentToExecFlowConfig;
+
+/**
+ * Taint-tracking flow for unvalidated input that is used to run an external process.
+ */
+module InputToArgumentToExecFlow = TaintTracking::Global<InputToArgumentToExecFlowConfig>;
+
+/**
+ * DEPRECATED: Use `InputToArgumentToExecFlow` instead.
+ */
+deprecated module RemoteUserInputToArgumentToExecFlow = InputToArgumentToExecFlow;
 
 /**
  * A taint-tracking configuration for unvalidated local user input that is used to run an external process.
  */
-module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
+deprecated module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
@@ -82,9 +91,11 @@ module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `InputToArgumentToExecFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for unvalidated local user input that is used to run an external process.
  */
-module LocalUserInputToArgumentToExecFlow =
+deprecated module LocalUserInputToArgumentToExecFlow =
   TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
 
 /**
@@ -93,10 +104,9 @@ module LocalUserInputToArgumentToExecFlow =
  * reporting overlapping results.
  */
 predicate execIsTainted(
-  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
+  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
 ) {
-  RemoteUserInputToArgumentToExecFlow::flowPath(source, sink) and
+  InputToArgumentToExecFlow::flowPath(source, sink) and
   argumentToExec(execArg, sink.getNode())
 }
 

java/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -14,11 +14,10 @@
 
 import java
 import semmle.code.java.security.CommandLineQuery
-import RemoteUserInputToArgumentToExecFlow::PathGraph
+import InputToArgumentToExecFlow::PathGraph
 
 from
-  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
+  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
 where execIsTainted(source, sink, execArg)
 select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
   "user-provided value"

java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.qhelp

@@ -14,7 +14,7 @@
 
 import java
 import semmle.code.java.security.CommandLineQuery
-import RemoteUserInputToArgumentToExecFlow::PathGraph
+import InputToArgumentToExecFlow::PathGraph
 private import semmle.code.java.dataflow.ExternalFlow
 
 private class ActivateModels extends ActiveExperimentalModels {
@@ -23,8 +23,7 @@ private class ActivateModels extends ActiveExperimentalModels {
 
 // This is a clone of query `java/command-line-injection` that also includes experimental sinks.
 from
-  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
+  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
 where execIsTainted(source, sink, execArg)
 select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
   "user-provided value"

java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql

@@ -0,0 +1 @@
+Security/CWE/CWE-078/ExecTainted.ql