Merge pull request github#8511 from RasmusWL/use-query-suffix

Python: Use `Query.qll` suffix for dataflow configuration definitions

Author: RasmusWL

python/ql/lib/change-notes/2022-03-21-query-suffix-convention.md

@@ -0,0 +1,8 @@
+---
+category: deprecated
+---
+* Queries importing a data-flow configuration from `semmle.python.security.dataflow`
+  should ensure that the imported file ends with `Query`, and only import its top-level
+  module. For example, a query that used `CommandInjection::Configuration` from
+  `semmle.python.security.dataflow.CommandInjection` should from now use `Configuration`
+  from `semmle.python.security.dataflow.CommandInjectionQuery` instead.

python/ql/lib/semmle/python/security/dataflow/CleartextLogging.qll

@@ -1,10 +1,4 @@
-/**
- * Provides a taint-tracking configuration for "Clear-text logging of sensitive information".
- *
- * Note, for performance reasons: only import this file if
- * `CleartextLogging::Configuration` is needed, otherwise
- * `CleartextLoggingCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
@@ -14,26 +8,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.dataflow.new.SensitiveDataSources
 
-/**
- * Provides a taint-tracking configuration for detecting "Clear-text logging of sensitive information".
- */
-module CleartextLogging {
-  import CleartextLoggingCustomizations::CleartextLogging
-
-  /**
-   * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "CleartextLogging" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node)
-      or
-      node instanceof Sanitizer
-    }
-  }
+/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
+deprecated module CleartextLogging {
+  import CleartextLoggingQuery // ignore-query-import
 }

python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll

@@ -0,0 +1,33 @@
+/**
+ * Provides a taint-tracking configuration for "Clear-text logging of sensitive information".
+ *
+ * Note, for performance reasons: only import this file if
+ * `CleartextLogging::Configuration` is needed, otherwise
+ * `CleartextLoggingCustomizations` should be imported instead.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.dataflow.new.SensitiveDataSources
+import CleartextLoggingCustomizations::CleartextLogging
+
+/**
+ * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CleartextLogging" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node)
+    or
+    node instanceof Sanitizer
+  }
+}

python/ql/lib/semmle/python/security/dataflow/CleartextStorage.qll

@@ -1,10 +1,4 @@
-/**
- * Provides a taint-tracking configuration for "Clear-text storage of sensitive information".
- *
- * Note, for performance reasons: only import this file if
- * `CleartextStorage::Configuration` is needed, otherwise
- * `CleartextStorageCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CleartextStorageQuery` instead. */
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
@@ -14,26 +8,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.dataflow.new.SensitiveDataSources
 
-/**
- * Provides a taint-tracking configuration for detecting "Clear-text storage of sensitive information".
- */
-module CleartextStorage {
-  import CleartextStorageCustomizations::CleartextStorage
-
-  /**
-   * A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "CleartextStorage" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node)
-      or
-      node instanceof Sanitizer
-    }
-  }
+/** DEPRECATED. Import `CleartextStorageQuery` instead. */
+deprecated module CleartextStorage {
+  import CleartextStorageQuery // ignore-query-import
 }

python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll

@@ -0,0 +1,33 @@
+/**
+ * Provides a taint-tracking configuration for "Clear-text storage of sensitive information".
+ *
+ * Note, for performance reasons: only import this file if
+ * `CleartextStorage::Configuration` is needed, otherwise
+ * `CleartextStorageCustomizations` should be imported instead.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.dataflow.new.SensitiveDataSources
+import CleartextStorageCustomizations::CleartextStorage
+
+/**
+ * A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CleartextStorage" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node)
+    or
+    node instanceof Sanitizer
+  }
+}

python/ql/lib/semmle/python/security/dataflow/CodeInjection.qll

@@ -1,42 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `CodeInjection::Configuration` is needed, otherwise
- * `CodeInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CodeInjectionQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities.
- */
-module CodeInjection {
-  import CodeInjectionCustomizations::CodeInjection
-
-  /**
-   * A taint-tracking configuration for detecting "code injection" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "CodeInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `CodeInjectionQuery` instead. */
+deprecated module CodeInjection {
+  import CodeInjectionQuery // ignore-query-import
 }
 
-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `CodeInjectionCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `CodeInjectionQuery` instead. */
 deprecated class CodeInjectionConfiguration = CodeInjection::Configuration;

python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CodeInjection::Configuration` is needed, otherwise
+ * `CodeInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import CodeInjectionCustomizations::CodeInjection
+
+/**
+ * A taint-tracking configuration for detecting "code injection" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CodeInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/CommandInjection.qll

@@ -1,42 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `CommandInjection::Configuration` is needed, otherwise
- * `CommandInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CommandInjectionQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
- */
-module CommandInjection {
-  import CommandInjectionCustomizations::CommandInjection
-
-  /**
-   * A taint-tracking configuration for detecting "command injection" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "CommandInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `CommandInjectionQuery` instead. */
+deprecated module CommandInjection {
+  import CommandInjectionQuery // ignore-query-import
 }
 
-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `CommandInjectionCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `CommandInjectionQuery` instead. */
 deprecated class CommandInjectionConfiguration = CommandInjection::Configuration;

python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CommandInjection::Configuration` is needed, otherwise
+ * `CommandInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import CommandInjectionCustomizations::CommandInjection
+
+/**
+ * A taint-tracking configuration for detecting "command injection" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CommandInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll

@@ -1,60 +1,12 @@
-/**
- * Provides taint-tracking configurations for detecting LDAP injection vulnerabilities
- *
- * Note, for performance reasons: only import this file if
- * `LdapInjection::Configuration` is needed, otherwise
- * `LdapInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `LdapInjectionQuery` instead. */
 
 import python
 import semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
-/**
- * Provides aint-tracking configurations for detecting LDAP injection vulnerabilities.class
- *
- * Two configurations are provided. One is for detecting LDAP injection
- * via the distinguished name (DN). The other is for detecting LDAP injection
- * via the filter. These require different escapings.
- */
-module LdapInjection {
-  import LdapInjectionCustomizations::LdapInjection
-
-  /**
-   * A taint-tracking configuration for detecting LDAP injection vulnerabilities
-   * via the distinguished name (DN) parameter of an LDAP search.
-   */
-  class DnConfiguration extends TaintTracking::Configuration {
-    DnConfiguration() { this = "LdapDnInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof DnSanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof DnSanitizerGuard
-    }
-  }
-
-  /**
-   * A taint-tracking configuration for detecting LDAP injection vulnerabilities
-   * via the filter parameter of an LDAP search.
-   */
-  class FilterConfiguration extends TaintTracking::Configuration {
-    FilterConfiguration() { this = "LdapFilterInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof FilterSanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof FilterSanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `LdapInjectionQuery` instead. */
+deprecated module LdapInjection {
+  import LdapInjectionQuery // ignore-query-import
 }