Skip to content

Commit 93988e5

Browse files
michaelnebelmichaelnebel
committed
Java: Deprecate the content of XxeLocalQuery and remove the Xxe local query variant.
1 parent e0c2a43 commit 93988e5

File tree

3 files changed

+4
-32
lines changed

3 files changed

+4
-32
lines changed

java/ql/lib/semmle/code/java/security/XxeLocalQuery.qll

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ deprecated class XxeLocalConfig extends TaintTracking::Configuration {
2727
/**
2828
* A taint-tracking configuration for unvalidated local user input that is used in XML external entity expansion.
2929
*/
30-
module XxeLocalConfig implements DataFlow::ConfigSig {
30+
deprecated module XxeLocalConfig implements DataFlow::ConfigSig {
3131
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
3232

3333
predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
@@ -40,6 +40,8 @@ module XxeLocalConfig implements DataFlow::ConfigSig {
4040
}
4141

4242
/**
43+
* DEPRECATED: Use `XxeFlow` instead and configure threat model sources to include `local`.
44+
*
4345
* Detect taint flow of unvalidated local user input that is used in XML external entity expansion.
4446
*/
45-
module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
47+
deprecated module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;

java/ql/src/Security/CWE/CWE-611/XXELocal.qhelp

Lines changed: 0 additions & 5 deletions
This file was deleted.

java/ql/src/Security/CWE/CWE-611/XXELocal.ql

Lines changed: 0 additions & 25 deletions
This file was deleted.

0 commit comments

Comments
 (0)