move getACommonTld to the shared pack

erik-krogh · erik-krogh · commit 355499ea522b · 2022-12-17T17:26:18.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/Regexp.qll b/javascript/ql/lib/semmle/javascript/Regexp.qll
@@ -999,11 +999,12 @@ predicate isInterpretedAsRegExp(DataFlow::Node source) {
 /**
  * Provides utility predicates related to regular expressions.
  */
-module RegExpPatterns {
+deprecated module RegExpPatterns {
   /**
    * Gets a pattern that matches common top-level domain names in lower case.
+   * DEPRECATED: use the similarly named predicate from `HostnameRegex` from the `regex` pack instead.
    */
-  string getACommonTld() {
+  deprecated string getACommonTld() {
     // according to ranking by http://google.com/search?q=site:.<<TLD>>
     result = "(?:com|org|edu|gov|uk|net|io)(?![a-z0-9])"
   }
diff --git a/javascript/ql/lib/semmle/javascript/security/regexp/HostnameRegexp.qll b/javascript/ql/lib/semmle/javascript/security/regexp/HostnameRegexp.qll
@@ -12,8 +12,6 @@ private module Impl implements Shared::HostnameRegexpSig<TreeImpl> {
   class DataFlowNode = JS::DataFlow::Node;
 
   class RegExpPatternSource = RegExp::RegExpPatternSource;
-
-  string getACommonTld() { result = RegExp::RegExpPatterns::getACommonTld() }
 }
 
 import Shared::Make<TreeImpl, Impl>
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll
@@ -31,7 +31,7 @@ query predicate problems(
   (
     // target contains a domain on a common TLD, and perhaps some other URL components
     target
-        .regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+" + RegExpPatterns::getACommonTld() +
+        .regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+" + HostnameRegexp::getACommonTld() +
             "(:[0-9]+)?/?")
     or
     // target is a HTTP URL to a domain on any TLD
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitizationSpecific.qll b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitizationSpecific.qll
@@ -3,3 +3,5 @@ import semmle.javascript.dataflow.InferredTypes
 
 /** Holds if `node` may evaluate to `value` */
 predicate mayHaveStringValue(DataFlow::Node node, string value) { node.mayHaveStringValue(value) }
+
+import semmle.javascript.security.regexp.HostnameRegexp as HostnameRegexp
diff --git a/python/ql/lib/semmle/python/dataflow/new/Regexp.qll b/python/ql/lib/semmle/python/dataflow/new/Regexp.qll
@@ -9,11 +9,12 @@ private import semmle.python.dataflow.new.DataFlow
 /**
  * Provides utility predicates related to regular expressions.
  */
-module RegExpPatterns {
+deprecated module RegExpPatterns {
   /**
    * Gets a pattern that matches common top-level domain names in lower case.
+   * DEPRECATED: use the similarly named predicate from `HostnameRegex` from the `regex` pack instead.
    */
-  string getACommonTld() {
+  deprecated string getACommonTld() {
     // according to ranking by http://google.com/search?q=site:.<<TLD>>
     result = "(?:com|org|edu|gov|uk|net|io)(?![a-z0-9])"
   }
diff --git a/python/ql/lib/semmle/python/security/regexp/HostnameRegex.qll b/python/ql/lib/semmle/python/security/regexp/HostnameRegex.qll
@@ -13,8 +13,6 @@ private module Impl implements Shared::HostnameRegexpSig<TreeImpl> {
   class DataFlowNode = DataFlow::Node;
 
   class RegExpPatternSource = Regexp::RegExpPatternSource;
-
-  string getACommonTld() { result = Regexp::RegExpPatterns::getACommonTld() }
 }
 
 import Shared::Make<TreeImpl, Impl>
diff --git a/ruby/ql/lib/codeql/ruby/Regexp.qll b/ruby/ql/lib/codeql/ruby/Regexp.qll
@@ -15,11 +15,12 @@ private import codeql.ruby.ApiGraphs
 /**
  * Provides utility predicates related to regular expressions.
  */
-module RegExpPatterns {
+deprecated module RegExpPatterns {
   /**
    * Gets a pattern that matches common top-level domain names in lower case.
+   * DEPRECATED: use the similarly named predicate from `HostnameRegex` from the `regex` pack instead.
    */
-  string getACommonTld() {
+  deprecated string getACommonTld() {
     // according to ranking by http://google.com/search?q=site:.<<TLD>>
     result = "(?:com|org|edu|gov|uk|net|io)(?![a-z0-9])"
   }
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/HostnameRegexp.qll b/ruby/ql/lib/codeql/ruby/security/regexp/HostnameRegexp.qll
@@ -12,8 +12,6 @@ private module Impl implements Shared::HostnameRegexpSig<TreeImpl> {
   class DataFlowNode = DataFlow::Node;
 
   class RegExpPatternSource = Regexp::RegExpPatternSource;
-
-  string getACommonTld() { result = Regexp::RegExpPatterns::getACommonTld() }
 }
 
 import Shared::Make<TreeImpl, Impl>
diff --git a/ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll b/ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll
@@ -31,7 +31,7 @@ query predicate problems(
   (
     // target contains a domain on a common TLD, and perhaps some other URL components
     target
-        .regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+" + RegExpPatterns::getACommonTld() +
+        .regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+" + HostnameRegexp::getACommonTld() +
             "(:[0-9]+)?/?")
     or
     // target is a HTTP URL to a domain on any TLD
diff --git a/ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitizationSpecific.qll b/ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitizationSpecific.qll
@@ -1,8 +1,9 @@
 import codeql.ruby.DataFlow
 import codeql.ruby.StringOps
-import codeql.ruby.Regexp::RegExpPatterns as RegExpPatterns
 
 /** Holds if `node` may evaluate to `value` */
 predicate mayHaveStringValue(DataFlow::Node node, string value) {
   node.asExpr().getConstantValue().getString() = value
 }
+
+import codeql.ruby.security.regexp.HostnameRegexp as HostnameRegexp
diff --git a/shared/regex/codeql/regex/HostnameRegexp.qll b/shared/regex/codeql/regex/HostnameRegexp.qll
@@ -10,11 +10,6 @@ private import RegexTreeView
  * analysis on regular expressions matching hostnames.
  */
 signature module HostnameRegexpSig<RegexTreeViewSig TreeImpl> {
-  /**
-   * Gets a pattern that matches common top-level domain names in lower case.
-   */
-  string getACommonTld();
-
   /** A node in the data-flow graph. */
   class DataFlowNode;
 
@@ -97,7 +92,7 @@ module Make<RegexTreeViewSig TreeImpl, HostnameRegexpSig<TreeImpl> Specific> {
     seq.getChild(i)
         .(RegExpConstant)
         .getValue()
-        .regexpMatch("(?i)" + Specific::getACommonTld() + "(:\\d+)?([/?#].*)?") and
+        .regexpMatch("(?i)" + getACommonTld() + "(:\\d+)?([/?#].*)?") and
     isDotLike(seq.getChild(i - 1)) and
     not (i = 1 and matchesBeginningOfString(seq))
   }
@@ -265,4 +260,12 @@ module Make<RegexTreeViewSig TreeImpl, HostnameRegexpSig<TreeImpl> Specific> {
   private RegExpTerm getLastChild(RegExpTerm parent) {
     result = max(RegExpTerm child, int i | child = parent.getChild(i) | child order by i)
   }
+
+  /**
+   * Gets a pattern that matches common top-level domain names in lower case.
+   */
+  string getACommonTld() {
+    // according to ranking by http://google.com/search?q=site:.<<TLD>>
+    result = "(?:com|org|edu|gov|uk|net|io)(?![a-z0-9])"
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -12,8 +12,6 @@ private module Impl implements Shared::HostnameRegexpSig<TreeImpl> {`
`12`	`12`	`class DataFlowNode = JS::DataFlow::Node;`
`13`	`13`
`14`	`14`	`class RegExpPatternSource = RegExp::RegExpPatternSource;`
`15`		`-`
`16`		`- string getACommonTld() { result = RegExp::RegExpPatterns::getACommonTld() }`
`17`	`15`	`}`
`18`	`16`
`19`	`17`	`import Shared::Make<TreeImpl, Impl>`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ query predicate problems(`
`31`	`31`	`(`
`32`	`32`	`// target contains a domain on a common TLD, and perhaps some other URL components`
`33`	`33`	`target`
`34`		`- .regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+" + RegExpPatterns::getACommonTld() +`
	`34`	`+ .regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+" + HostnameRegexp::getACommonTld() +`
`35`	`35`	`"(:[0-9]+)?/?")`
`36`	`36`	`or`
`37`	`37`	`// target is a HTTP URL to a domain on any TLD`
Original file line number	Diff line number	Diff line change
`@@ -13,8 +13,6 @@ private module Impl implements Shared::HostnameRegexpSig<TreeImpl> {`
`13`	`13`	`class DataFlowNode = DataFlow::Node;`
`14`	`14`
`15`	`15`	`class RegExpPatternSource = Regexp::RegExpPatternSource;`
`16`		`-`
`17`		`- string getACommonTld() { result = Regexp::RegExpPatterns::getACommonTld() }`
`18`	`16`	`}`
`19`	`17`
`20`	`18`	`import Shared::Make<TreeImpl, Impl>`