Make RemoteFlowAsSource private

`UntrustedFlowAsSource` should have been private. Since we are deprecating them anyway
we may as well make the replacement private (and make it use `instanceof`). The deprecation
comments have been updated.

Author: owen-mc

go/ql/lib/change-notes/2024-04-18-untrustedflowsource-renamed-remoteflowsource.md

@@ -30,12 +30,12 @@ module CommandInjection {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /**
-   * DEPRECATED: Use `RemoteFlowAsSource` instead.
+   * DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
    */
   deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
 
   /** A source of untrusted data, considered as a taint source for command injection. */
-  class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
+  private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
 
   /** A command name, considered as a taint sink for command injection. */
   class CommandNameAsSink extends Sink {

go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll

@@ -26,12 +26,12 @@ module LogInjection {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /**
-   * DEPRECATED: Use `RemoteFlowAsSource` instead.
+   * DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
    */
   deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
 
   /** A source of untrusted data, considered as a taint source for log injection. */
-  class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
+  private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
 
   /** An argument to a logging mechanism. */
   class LoggerSink extends Sink {

go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll

@@ -43,14 +43,14 @@ module OpenUrlRedirect {
   }
 
   /**
-   * DEPRECATED: Use `RemoteFlowAsSource` instead.
+   * DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
    */
   deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
 
   /**
    * A source of third-party user input, considered as a flow source for URL redirects.
    */
-  class RemoteFlowAsSource extends Source, RemoteFlowSource {
+  private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource {
     RemoteFlowAsSource() {
       // exclude some fields and methods of URLs that are generally not attacker-controllable for
       // open redirect exploits

go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll

@@ -35,14 +35,14 @@ module ReflectedXss {
   }
 
   /**
-   * DEPRECATED: Use `RemoteFlowAsSource` instead.
+   * DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
    */
   deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
 
   /**
    * A third-party controllable input, considered as a flow source for reflected XSS.
    */
-  class RemoteFlowAsSource extends Source, RemoteFlowSource { }
+  private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
 
   /** An arbitrary XSS sink, considered as a flow sink for stored XSS. */
   private class AnySink extends Sink instanceof SharedXss::Sink { }

go/ql/lib/semmle/go/security/ReflectedXssCustomizations.qll

@@ -33,14 +33,14 @@ module RequestForgery {
   abstract class SanitizerEdge extends DataFlow::Node { }
 
   /**
-   * DEPRECATED: Use `RemoteFlowAsSource` instead.
+   * DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
    */
   deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
 
   /**
    * A third-party controllable input, considered as a flow source for request forgery.
    */
-  class RemoteFlowAsSource extends Source, RemoteFlowSource { }
+  private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
 
   /**
    * The URL of an HTTP request, viewed as a sink for request forgery.

go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll

@@ -26,12 +26,12 @@ module SqlInjection {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /**
-   * DEPRECATED: Use `RemoteFlowAsSource` instead.
+   * DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
    */
   deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
 
   /** A source of untrusted data, considered as a taint source for SQL injection. */
-  class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
+  private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
 
   /** An SQL string, considered as a taint sink for SQL injection. */
   class SqlQueryAsSink extends Sink instanceof SQL::QueryString { }

go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll

@@ -45,12 +45,12 @@ module TaintedPath {
   }
 
   /**
-   * DEPRECATED: Use `RemoteFlowAsSource` instead.
+   * DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
    */
   deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
 
   /** A source of untrusted data, considered as a taint source for path traversal. */
-  class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
+  private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
 
   /** A path expression, considered as a taint sink for path traversal. */
   class PathAsSink extends Sink {

go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll

@@ -25,12 +25,12 @@ module XPathInjection {
   abstract class Sanitizer extends DataFlow::ExprNode { }
 
   /**
-   * DEPRECATED: Use `RemoteFlowAsSource` instead.
+   * DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
    */
   deprecated class UntrustedFlowAsSource = RemoteFlowAsSource;
 
   /** A source of untrusted data, used in an XPath expression. */
-  class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
+  private class RemoteFlowAsSource extends Source instanceof RemoteFlowSource { }
 
   /** An XPath expression string, considered as a taint sink for XPath injection. */
   class XPathExpressionStringAsSink extends Sink instanceof XPath::XPathExpressionString { }

go/ql/lib/semmle/go/security/XPathInjectionCustomizations.qll

@@ -17,12 +17,12 @@ module EmailInjection {
   abstract class Sink extends DataFlow::Node { }
 
   /**
-   * DEPRECATED: Use `RemoteFlowSourceAsSource` instead.
+   * DEPRECATED: Use `RemoteFlowSource` or `Source` instead.
    */
   deprecated class UntrustedFlowSourceAsSource = RemoteFlowSourceAsSource;
 
   /** A source of untrusted data, considered as a taint source for email injection. */
-  class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource { }
+  private class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource { }
 
   /**
    * A data-flow node that becomes part of an email considered as a taint sink for email injection.