Java: Remove temporary store-as-taint.

aschackmull · aschackmull · commit d383c0f69b1e · 2021-06-21T14:42:47.000+02:00
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -127,92 +127,6 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) {
   )
 }
 
-/**
- * These configurations add a number of configuration-dependent additional taint
- * steps to all taint configurations. For each sink or additional step provided
- * by a given configuration the types are inspected to find those implicit
- * collection or array read steps that might be required at the sink or step
- * input. The corresponding store steps are then added as additional taint steps
- * to provide backwards-compatible taint flow to such sinks and steps.
- *
- * This is a temporary measure until support is added for such sinks that
- * require implicit read steps.
- */
-private module StoreTaintSteps {
-  private import semmle.code.java.dataflow.TaintTracking
-  private import semmle.code.java.dataflow.TaintTracking2
-
-  private class StoreTaintConfig extends TaintTracking::Configuration {
-    StoreTaintConfig() { this instanceof TaintTracking::Configuration or none() }
-
-    override predicate isSource(DataFlow::Node n) { none() }
-
-    override predicate isSink(DataFlow::Node n) { none() }
-
-    private predicate needsTaintStore(RefType container, Type elem, DataFlow::Content f) {
-      exists(DataFlow::Node arg |
-        (isSink(arg) or isAdditionalTaintStep(arg, _)) and
-        (arg.asExpr() instanceof Argument or arg instanceof ArgumentNode) and
-        arg.getType() = container
-        or
-        needsTaintStore(_, container, _)
-      |
-        container.(Array).getComponentType() = elem and
-        f instanceof DataFlow::ArrayContent
-        or
-        container.(CollectionType).getElementType() = elem and
-        f instanceof DataFlow::CollectionContent
-        or
-        container.(MapType).getValueType() = elem and
-        f instanceof DataFlow::MapValueContent
-      )
-    }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-      exists(DataFlow::Content f, Type elem |
-        storeStep(node1, f, node2) and
-        needsTaintStore(_, elem, f) and
-        not exists(Type srctyp | srctyp = node1.getTypeBound() | not compatibleTypes(srctyp, elem))
-      )
-    }
-  }
-
-  private class StoreTaintConfig2 extends TaintTracking2::Configuration {
-    StoreTaintConfig2() { this instanceof TaintTracking2::Configuration or none() }
-
-    override predicate isSource(DataFlow::Node n) { none() }
-
-    override predicate isSink(DataFlow::Node n) { none() }
-
-    private predicate needsTaintStore(RefType container, Type elem, DataFlow::Content f) {
-      exists(DataFlow::Node arg |
-        (isSink(arg) or isAdditionalTaintStep(arg, _)) and
-        (arg.asExpr() instanceof Argument or arg instanceof ArgumentNode) and
-        arg.getType() = container
-        or
-        needsTaintStore(_, container, _)
-      |
-        container.(Array).getComponentType() = elem and
-        f instanceof DataFlow::ArrayContent
-        or
-        container.(CollectionType).getElementType() = elem and
-        f instanceof DataFlow::CollectionContent
-        or
-        container.(MapType).getValueType() = elem and
-        f instanceof DataFlow::MapValueContent
-      )
-    }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-      exists(DataFlow::Content f, Type elem |
-        storeStep(node1, f, node2) and
-        needsTaintStore(_, elem, f) and
-        not exists(Type srctyp | srctyp = node1.getTypeBound() | not compatibleTypes(srctyp, elem))
-      )
-    }
-  }
-}
-
 /**
  * Holds if taint can flow in one local step from `src` to `sink` excluding
  * local data flow steps. That is, `src` and `sink` are likely to represent
