Skip to content

Commit c0b5a9a

Browse files
asgerfasgerf
committed
JS: Deprecate AdditionalTaintStep
1 parent 332ee40 commit c0b5a9a

File tree

2 files changed

+14
-4
lines changed

2 files changed

+14
-4
lines changed

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -338,7 +338,7 @@ module TaintTracking {
338338
*/
339339
cached
340340
predicate legacyAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
341-
any(AdditionalTaintStep step).step(pred, succ)
341+
any(InternalAdditionalTaintStep step).step(pred, succ)
342342
}
343343

344344
/**
@@ -469,14 +469,23 @@ module TaintTracking {
469469
}
470470

471471
/**
472+
* DEPRECATED. Subclasses should extend `SharedTaintStep` instead, unless the subclass
473+
* is part of a query, in which case it should be moved into the `isAdditionalTaintStep` predicate
474+
* of the relevant taint-tracking configuration.
475+
* Other uses of the `step` relation in this class should instead use the `TaintTracking::sharedTaintStep`
476+
* predicate.
477+
*
472478
* A taint-propagating data flow edge that should be added to all taint tracking
473479
* configurations in addition to standard data flow edges.
474480
*
475481
* Note: For performance reasons, all subclasses of this class should be part
476482
* of the standard library. Override `Configuration::isAdditionalTaintStep`
477483
* for analysis-specific taint steps.
478484
*/
479-
abstract class AdditionalTaintStep extends DataFlow::Node {
485+
deprecated class AdditionalTaintStep = InternalAdditionalTaintStep;
486+
487+
/** Internal version of `AdditionalTaintStep` that won't trigger deprecation warnings. */
488+
abstract private class InternalAdditionalTaintStep extends DataFlow::Node {
480489
/**
481490
* Holds if `pred` → `succ` should be considered a taint-propagating
482491
* data flow edge.

javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,9 @@ import javascript
99
*
1010
* A taint propagating data flow edge arising from an operation in a URI library.
1111
*/
12-
abstract deprecated class UriLibraryStep extends DataFlow::ValueNode,
13-
TaintTracking::AdditionalTaintStep { }
12+
abstract deprecated class UriLibraryStep extends DataFlow::ValueNode {
13+
predicate step(DataFlow::Node pred, DataFlow::Node succ) { none() }
14+
}
1415

1516
/**
1617
* Provides classes for working with [urijs](http://medialize.github.io/URI.js/) code.

0 commit comments

Comments
 (0)