Merge pull request github#16181 from hvitved/dynamic/deprecate-csv-models

Dynamic languages: Deprecate models-as-data CSV interface

Author: hvitved

javascript/ql/lib/qlpack.yml

@@ -15,4 +15,5 @@ dependencies:
   codeql/yaml: ${workspace}
 dataExtensions:
   - semmle/javascript/frameworks/**/model.yml
+  - semmle/javascript/frameworks/**/*.model.yml
 warnOnImplicitThis: true

javascript/ql/lib/semmle/javascript/frameworks/NoSQL.model.yml

@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      # In Mongo version 2.x, a client and a database handle were the same concept, but in 3.x
+      # they were separated. To handle everything with a single model, we treat them as the same here.
+      - ['mongodb.Db', 'mongodb.MongoClient', '']
+      # 'marsdb' has no typings and is archived.
+      # We just model is as a variant of 'mongoose'.
+      - ['mongoose.Model', 'marsdb', 'Member[Collection].Instance']
+      - ['mongoose.Query', 'marsdb', 'Member[Collection].Instance']
+      - ['mongoose.Query', 'mongoose.Query', 'Member[sortFunc].ReturnValue']

javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll

@@ -21,14 +21,6 @@ module NoSql {
  * Provides classes modeling the `mongodb` and `mongoose` libraries.
  */
 private module MongoDB {
-  private class OldMongoDbAdapter extends ModelInput::TypeModelCsv {
-    override predicate row(string row) {
-      // In Mongo version 2.x, a client and a database handle were the same concept, but in 3.x
-      // they were separated. To handle everything with a single model, we treat them as the same here.
-      row = "mongodb.Db;mongodb.MongoClient;"
-    }
-  }
-
   /**
    * An expression that is interpreted as a MongoDB query.
    */
@@ -169,24 +161,6 @@ private module Mongoose {
   }
 }
 
-/**
- * Provides classes modeling the MarsDB library.
- */
-private module MarsDB {
-  // 'marsdb' has no typings and is archived.
-  // We just model is as a variant of 'mongoose'.
-  private class MongooseExtension extends ModelInput::TypeModelCsv {
-    override predicate row(string row) {
-      row =
-        [
-          "mongoose.Query;marsdb;Member[Collection].Instance",
-          "mongoose.Model;marsdb;Member[Collection].Instance",
-          "mongoose.Query;mongoose.Query;Member[sortFunc].ReturnValue",
-        ]
-    }
-  }
-}
-
 /**
  * Provides classes modeling the `Node Redis` library.
  *

javascript/ql/lib/semmle/javascript/frameworks/SQL.model.yml

@@ -0,0 +1,19 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sourceModel
+    data:
+      - ['@google-cloud/spanner.~SpannerObject', 'Member[executeSql].Argument[0..].Parameter[1]', 'database-access-result']
+      - ['@google-cloud/spanner.~SpannerObject', 'Member[executeSql].ReturnValue.Awaited.Member[0]', 'database-access-result']
+      - ['@google-cloud/spanner.~SpannerObject', 'Member[run].Argument[0..].Parameter[1]', 'database-access-result']
+      - ['@google-cloud/spanner.~SpannerObject', 'Member[run].ReturnValue.Awaited', 'database-access-result']
+      - ['sequelize.Sequelize', 'Member[query].ReturnValue.Awaited', 'database-access-result']
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ['@google-cloud/spanner.Transaction', 'Member[batchUpdate].Argument[0]', 'sql-injection']
+      - ['@google-cloud/spanner.Transaction', 'Member[batchUpdate].Argument[0].ArrayElement.Member[sql]', 'sql-injection']
+      - ['@google-cloud/spanner.~SqlExecutorDirect', 'Argument[0]', 'sql-injection']
+      - ['@google-cloud/spanner.~SqlExecutorDirect', 'Argument[0].Member[sql]', 'sql-injection']

javascript/ql/lib/semmle/javascript/frameworks/SQL.qll

@@ -415,42 +415,3 @@ private module MsSql {
     override string getCredentialsKind() { result = kind }
   }
 }
-
-/**
- * Provides classes modeling the `sequelize` package.
- */
-private module Sequelize {
-  // Note: the sinks are specified directly in the MaD model
-  class SequelizeSource extends ModelInput::SourceModelCsv {
-    override predicate row(string row) {
-      row = "sequelize.Sequelize;Member[query].ReturnValue.Awaited;database-access-result"
-    }
-  }
-}
-
-private module SpannerCsv {
-  class SpannerSinks extends ModelInput::SinkModelCsv {
-    override predicate row(string row) {
-      // type; path; kind
-      row =
-        [
-          "@google-cloud/spanner.~SqlExecutorDirect;Argument[0];sql-injection",
-          "@google-cloud/spanner.~SqlExecutorDirect;Argument[0].Member[sql];sql-injection",
-          "@google-cloud/spanner.Transaction;Member[batchUpdate].Argument[0];sql-injection",
-          "@google-cloud/spanner.Transaction;Member[batchUpdate].Argument[0].ArrayElement.Member[sql];sql-injection",
-        ]
-    }
-  }
-
-  class SpannerSources extends ModelInput::SourceModelCsv {
-    override predicate row(string row) {
-      row =
-        [
-          "@google-cloud/spanner.~SpannerObject;Member[executeSql].Argument[0..].Parameter[1];database-access-result",
-          "@google-cloud/spanner.~SpannerObject;Member[executeSql].ReturnValue.Awaited.Member[0];database-access-result",
-          "@google-cloud/spanner.~SpannerObject;Member[run].ReturnValue.Awaited;database-access-result",
-          "@google-cloud/spanner.~SpannerObject;Member[run].Argument[0..].Parameter[1];database-access-result",
-        ]
-    }
-  }
-}