Refactor to using ThreatModelFlowSource

egregius313 · egregius313 · commit 434fa20646ad · 2024-02-29T12:03:05.000-05:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll
@@ -97,14 +97,14 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu
   override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 }
 
-/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
+/** A configuration for tracking flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. */
 private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 }
 
-/** A module for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
+/** A module for tracking flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. */
 module RemoteSourceToExternalApi = TaintTracking::Global<RemoteSourceToExternalApiConfig>;
 
 /** A node representing untrusted data being passed to an external API. */
diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
@@ -12,15 +12,15 @@
  */
 
 import csharp
-import semmle.code.csharp.security.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.FlowSources
 import semmle.code.csharp.frameworks.system.Xml
 import XmlInjection::PathGraph
 
 /**
  * A taint-tracking configuration for untrusted user input used in XML.
  */
 module XmlInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     exists(MethodCall mc |

Original file line number	Diff line number	Diff line change
`@@ -97,14 +97,14 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu`
`97`	`97`	`override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }`
`98`	`98`	`}`
`99`	`99`
`100`		-/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
	`100`	+/** A configuration for tracking flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. */
`101`	`101`	`private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig {`
`102`		`- predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
	`102`	`+ predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }`
`103`	`103`
`104`	`104`	`predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }`
`105`	`105`	`}`
`106`	`106`
`107`		-/** A module for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
	`107`	+/** A module for tracking flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. */
`108`	`108`	`module RemoteSourceToExternalApi = TaintTracking::Global<RemoteSourceToExternalApiConfig>;`
`109`	`109`
`110`	`110`	`/** A node representing untrusted data being passed to an external API. */`