Convert Fasthttp::Args::RemoteFlowSource to MaD

owen-mc · owen-mc · commit c3169d258f01 · 2024-07-17T12:11:57.000+01:00
diff --git a/go/ql/lib/ext/github.com.valyala.fasthttp.model.yml b/go/ql/lib/ext/github.com.valyala.fasthttp.model.yml
@@ -13,6 +13,12 @@ extensions:
       pack: codeql/go-all
       extensible: sourceModel
     data:
+      - ["github.com/valyala/fasthttp", "Args", True, "Peek", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/valyala/fasthttp", "Args", True, "PeekBytes", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/valyala/fasthttp", "Args", True, "PeekMulti", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/valyala/fasthttp", "Args", True, "PeekMultiBytes", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/valyala/fasthttp", "Args", True, "QueryString", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/valyala/fasthttp", "Args", True, "String", "", "", "ReturnValue[0]", "remote", "manual"]
       - ["github.com/valyala/fasthttp", "URI", True, "FullURI", "", "", "ReturnValue[0]", "remote", "manual"]
       - ["github.com/valyala/fasthttp", "URI", True, "LastPathSegment", "", "", "ReturnValue[0]", "remote", "manual"]
       - ["github.com/valyala/fasthttp", "URI", True, "Path", "", "", "ReturnValue[0]", "remote", "manual"]
diff --git a/go/ql/lib/semmle/go/frameworks/Fasthttp.qll b/go/ql/lib/semmle/go/frameworks/Fasthttp.qll
@@ -279,20 +279,24 @@ module Fasthttp {
   }
 
   /**
+   * DEPRECATED
+   *
    * Provide modeling for fasthttp.Args Type.
    */
-  module Args {
+  deprecated module Args {
     /**
-     * DEPRECATED: Use `RemoteFlowSource` instead.
+     * DEPRECATED: Use `RemoteFlowSource::Range` instead.
      */
     deprecated class UntrustedFlowSource = RemoteFlowSource;
 
     /**
+     * DEPRECATED: Use `RemoteFlowSource::Range` instead.
+     *
      * The methods as Remote user controllable source which are part of the incoming URL Parameters.
      *
      * When support for lambdas has been implemented we should model "VisitAll".
      */
-    class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
+    deprecated class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
       RemoteFlowSource() {
         exists(Method m |
           m.hasQualifiedName(packagePath(), "Args",
