Update CodeQL predicates used by ExternalAPIsQuery

Alvaro Muñoz · GeekMasher · commit 58bcdb38650f · 2024-05-31T18:32:55.000+01:00
diff --git a/csharp/lib/codeql-pack.lock.yml b/csharp/lib/codeql-pack.lock.yml
@@ -2,17 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 0.0.3
+    version: 0.1.16
   codeql/csharp-all:
-    version: 0.7.4
+    version: 0.10.1
   codeql/dataflow:
-    version: 0.0.3
+    version: 0.2.7
   codeql/mad:
-    version: 0.1.4
+    version: 0.2.16
   codeql/ssa:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/threat-models:
+    version: 0.0.15
   codeql/tutorial:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/typetracking:
+    version: 0.2.16
   codeql/util:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
 compiled: false
diff --git a/csharp/lib/qlpack.yml b/csharp/lib/qlpack.yml
@@ -2,4 +2,4 @@ library: true
 name: githubsecuritylab/codeql-csharp-libs
 version: 0.0.1
 dependencies:
-  codeql/csharp-all: '*'
+  codeql/csharp-all: 0.10.1
diff --git a/csharp/src/codeql-pack.lock.yml b/csharp/src/codeql-pack.lock.yml
@@ -2,21 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 0.0.3
+    version: 0.1.16
   codeql/csharp-all:
-    version: 0.7.4
+    version: 0.10.1
   codeql/csharp-queries:
-    version: 0.7.4
+    version: 0.8.16
   codeql/dataflow:
-    version: 0.0.3
+    version: 0.2.7
   codeql/mad:
-    version: 0.1.4
+    version: 0.2.16
   codeql/ssa:
-    version: 0.1.4
+    version: 0.2.16
   codeql/suite-helpers:
-    version: 0.6.4
+    version: 0.7.16
+  codeql/threat-models:
+    version: 0.0.15
   codeql/tutorial:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/typetracking:
+    version: 0.2.16
   codeql/util:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
 compiled: false
diff --git a/csharp/src/library_sources/ExternalAPIsQuery.qll b/csharp/src/library_sources/ExternalAPIsQuery.qll
@@ -5,7 +5,7 @@
 
 import csharp
 private import semmle.code.csharp.commons.QualifiedName
-private import semmle.code.csharp.dataflow.flowsources.Remote
+private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.dataflow.FlowSummary
 // SECLAB: Import CSV utils
@@ -19,9 +19,6 @@ predicate asPartialModel = ExternalFlow::asPartialModel/1;
  */
 abstract class SafeExternalApiCallable extends Callable { }
 
-/** DEPRECATED: Alias for SafeExternalApiCallable */
-deprecated class SafeExternalAPICallable = SafeExternalApiCallable;
-
 private class SummarizedCallableSafe extends SafeExternalApiCallable instanceof SummarizedCallable {
 }
 
@@ -40,7 +37,7 @@ private class DefaultSafeExternalApiCallable extends SafeExternalApiCallable {
     this = any(SystemStringClass s).getIsNullOrWhiteSpaceMethod() or
     this.getName().regexpMatch("Count|get_Count|get_Length") or
     // SECLAB: Exclude all .NET methods
-    this.getDeclaringType().getQualifiedName().matches(["System.%", "Microsoft.%", "Azure.%"])
+    this.getDeclaringType().getFullyQualifiedName().matches(["System.%", "Microsoft.%", "Azure.%"])
   }
 }
 
@@ -81,49 +78,41 @@ class ExternalApiDataNode extends DataFlow::Node {
 
   /** Holds if the callable being use has name `name` and has qualifier `qualifier`. */
   predicate hasQualifiedName(string qualifier, string name) {
-    this.getCallable().hasQualifiedName(qualifier, name)
-  }
-
-  /**
-   * DEPRECATED: Use hasQualifiedName/2 instead.
-   *
-   * Gets the description of the callable being called.
-   */
-  deprecated string getCallableDescription() {
-    exists(string qualifier, string name |
-      this.hasQualifiedName(qualifier, name) and result = getQualifiedName(qualifier, name)
-    )
+    this.getCallable().hasFullyQualifiedName(qualifier, name)
   }
 }
 
-/** DEPRECATED: Alias for ExternalApiDataNode */
-deprecated class ExternalAPIDataNode = ExternalApiDataNode;
-
-/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
-class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
+/**
+ * DEPRECATED: Use `RemoteSourceToExternalApi` instead.
+ *
+ * A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s.
+ */
+deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
   UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 }
 
-/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
-deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
+/** A configuration for tracking flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. */
+private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+}
+
+/** A module for tracking flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s. */
+module RemoteSourceToExternalApi = TaintTracking::Global<RemoteSourceToExternalApiConfig>;
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  private UntrustedDataToExternalApiConfig c;
-
-  UntrustedExternalApiDataNode() { c.hasFlow(_, this) }
+  UntrustedExternalApiDataNode() { RemoteSourceToExternalApi::flow(_, this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
-  DataFlow::Node getAnUntrustedSource() { c.hasFlow(result, this) }
+  DataFlow::Node getAnUntrustedSource() { RemoteSourceToExternalApi::flow(result, this) }
 }
 
-/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
-deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
-
 /** An external API which is used with untrusted data. */
 private newtype TExternalApi =
   /** An untrusted API method `m` where untrusted data is passed at `index`. */
@@ -148,13 +137,13 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi {
 
   /** Gets a textual representation of this element. */
   string toString() {
-    exists(Callable m, int index |
+    exists(Callable m, int index, string indexString, string qualifier, string name |
+      if index = -1 then indexString = "qualifier" else indexString = "param " + index
+    |
       this = TExternalApiParameter(m, index) and
+      m.getDeclaringType().hasFullyQualifiedName(qualifier, name) and
       // SECLAB: use the CSV library to get the 6 first columns
       result = asPartialModel(m.getUnboundDeclaration()) + index.toString()
     )
   }
 }
-
-/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
-deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;
diff --git a/csharp/src/qlpack.yml b/csharp/src/qlpack.yml
@@ -4,6 +4,6 @@ version: 0.0.4
 suites: suites
 defaultSuiteFile: suites/csharp.qls
 dependencies:
-  codeql/csharp-all: "*"
-  codeql/csharp-queries: "*" # Required for Dependencies.ql
+  codeql/csharp-all: 0.10.1
+  codeql/csharp-queries: 0.8.16 # Required for Dependencies.ql
   githubsecuritylab/codeql-csharp-libs: 0.0.1
