C#: Deprecate all experimental queries.

Author: michaelnebel

csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql

@@ -16,9 +16,15 @@
 
 import csharp
 import TaintedWebClientLib
-import TaintedWebClient::PathGraph
+deprecated import TaintedWebClient::PathGraph
 
-from TaintedWebClient::PathNode source, TaintedWebClient::PathNode sink
-where TaintedWebClient::flowPath(source, sink)
-select sink.getNode(), source, sink, "A method of WebClient depepends on a $@.", source.getNode(),
-  "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, TaintedWebClient::PathNode source, TaintedWebClient::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  TaintedWebClient::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "A method of WebClient depepends on a $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}

csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll

@@ -6,7 +6,7 @@ import semmle.code.csharp.security.Sanitizers
 
 //If this leaves experimental this should probably go in semmle.code.csharp.frameworks.system.Net
 /** The `System.Net.WebClient` class. */
-class SystemNetWebClientClass extends SystemNetClass {
+deprecated class SystemNetWebClientClass extends SystemNetClass {
   SystemNetWebClientClass() { this.hasName("WebClient") }
 
   /** Gets the `DownloadString` method. */
@@ -16,7 +16,7 @@ class SystemNetWebClientClass extends SystemNetClass {
 //If this leaves experimental this should probably go in semmle.code.csharp.frameworks.System
 //Extend the already existent SystemUriClass to not touch the stdlib.
 /** The `System.Uri` class. */
-class SystemUriClassExtra extends SystemUriClass {
+deprecated class SystemUriClassExtra extends SystemUriClass {
   /** Gets the `IsWellFormedUriString` method. */
   Method getIsWellFormedUriStringMethod() { result = this.getAMethod("IsWellFormedUriString") }
 }
@@ -25,22 +25,22 @@ class SystemUriClassExtra extends SystemUriClass {
 /**
  * A data flow source for uncontrolled data in path expression vulnerabilities.
  */
-abstract class Source extends DataFlow::Node { }
+abstract deprecated class Source extends DataFlow::Node { }
 
 /**
  * A data flow sink for uncontrolled data in path expression vulnerabilities.
  */
-abstract class Sink extends DataFlow::ExprNode { }
+abstract deprecated class Sink extends DataFlow::ExprNode { }
 
 /**
  * A sanitizer for uncontrolled data in path expression vulnerabilities.
  */
-abstract class Sanitizer extends DataFlow::ExprNode { }
+abstract deprecated class Sanitizer extends DataFlow::ExprNode { }
 
 /**
  * A taint-tracking configuration for uncontrolled data in path expression vulnerabilities.
  */
-private module TaintedWebClientConfig implements DataFlow::ConfigSig {
+deprecated private module TaintedWebClientConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
@@ -51,7 +51,7 @@ private module TaintedWebClientConfig implements DataFlow::ConfigSig {
 /**
  * A taint-tracking module for uncontrolled data in path expression vulnerabilities.
  */
-module TaintedWebClient = TaintTracking::Global<TaintedWebClientConfig>;
+deprecated module TaintedWebClient = TaintTracking::Global<TaintedWebClientConfig>;
 
 /**
  * DEPRECATED: Use `ThreatModelSource` instead.
@@ -61,12 +61,12 @@ module TaintedWebClient = TaintTracking::Global<TaintedWebClientConfig>;
 deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { }
 
 /** A source supported by the current threat model. */
-class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
+deprecated class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
 
 /**
  * A path argument to a `WebClient` method call that has an address argument.
  */
-class WebClientSink extends Sink {
+deprecated class WebClientSink extends Sink {
   WebClientSink() {
     exists(Method m | m = any(SystemNetWebClientClass f).getAMethod() |
       this.getExpr() = m.getACall().getArgumentForName("address")
@@ -77,14 +77,14 @@ class WebClientSink extends Sink {
 /**
  * A call to `System.Uri.IsWellFormedUriString` that is considered to sanitize the input.
  */
-class RequestMapPathSanitizer extends Sanitizer {
+deprecated class RequestMapPathSanitizer extends Sanitizer {
   RequestMapPathSanitizer() {
     exists(Method m | m = any(SystemUriClassExtra uri).getIsWellFormedUriStringMethod() |
       this.getExpr() = m.getACall().getArgument(0)
     )
   }
 }
 
-private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
+deprecated private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
 
-private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { }
+deprecated private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { }

csharp/ql/src/experimental/CWE-918/RequestForgery.ql

@@ -11,10 +11,16 @@
  */
 
 import csharp
-import RequestForgery::RequestForgery
-import RequestForgeryFlow::PathGraph
+deprecated import RequestForgery::RequestForgery
+deprecated import RequestForgeryFlow::PathGraph
 
-from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink
-where RequestForgeryFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "The URL of this request depends on a $@.", source.getNode(),
-  "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  RequestForgeryFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "The URL of this request depends on a $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}

csharp/ql/src/experimental/CWE-918/RequestForgery.qll

@@ -1,6 +1,6 @@
 import csharp
 
-module RequestForgery {
+deprecated module RequestForgery {
   import semmle.code.csharp.controlflow.Guards
   import semmle.code.csharp.frameworks.System
   import semmle.code.csharp.frameworks.system.Web
@@ -55,7 +55,7 @@ module RequestForgery {
   /**
    * A data flow module for detecting server side request forgery vulnerabilities.
    */
-  module RequestForgeryFlow = DataFlow::Global<RequestForgeryFlowConfig>;
+  deprecated module RequestForgeryFlow = DataFlow::Global<RequestForgeryFlowConfig>;
 
   /**
    * A dataflow source for Server Side Request Forgery(SSRF) Vulnerabilities.

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

@@ -19,87 +19,89 @@ import semmle.code.csharp.frameworks.system.Web
 import semmle.code.csharp.frameworks.microsoft.AspNetCore
 import experimental.dataflow.flowsources.AuthCookie
 
-from Expr httpOnlySink
-where
-  exists(Assignment a, Expr val |
-    httpOnlySink = a.getRValue() and
-    val.getValue() = "false" and
-    (
-      exists(ObjectCreation oc |
-        getAValueForProp(oc, a, "HttpOnly") = val and
-        (
-          oc.getType() instanceof SystemWebHttpCookie and
-          isCookieWithSensitiveName(oc.getArgument(0))
-          or
-          exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
-            oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-            iResponse.getAppendMethod() = mc.getTarget() and
-            isCookieWithSensitiveName(mc.getArgument(0)) and
-            // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
-            not OnAppendCookieHttpOnlyTracking::flowTo(_) and
-            // Passed as third argument to `IResponseCookies.Append`
-            exists(DataFlow::Node creation, DataFlow::Node append |
-              CookieOptionsTracking::flow(creation, append) and
-              creation.asExpr() = oc and
-              append.asExpr() = mc.getArgument(2)
+deprecated query predicate problems(Expr httpOnlySink, string message) {
+  (
+    exists(Assignment a, Expr val |
+      httpOnlySink = a.getRValue() and
+      val.getValue() = "false" and
+      (
+        exists(ObjectCreation oc |
+          getAValueForProp(oc, a, "HttpOnly") = val and
+          (
+            oc.getType() instanceof SystemWebHttpCookie and
+            isCookieWithSensitiveName(oc.getArgument(0))
+            or
+            exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
+              oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+              iResponse.getAppendMethod() = mc.getTarget() and
+              isCookieWithSensitiveName(mc.getArgument(0)) and
+              // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
+              not OnAppendCookieHttpOnlyTracking::flowTo(_) and
+              // Passed as third argument to `IResponseCookies.Append`
+              exists(DataFlow::Node creation, DataFlow::Node append |
+                CookieOptionsTracking::flow(creation, append) and
+                creation.asExpr() = oc and
+                append.asExpr() = mc.getArgument(2)
+              )
             )
           )
         )
-      )
-      or
-      exists(PropertyWrite pw |
-        (
-          pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
-          pw.getProperty().getDeclaringType() instanceof
-            MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
-        ) and
-        pw.getProperty().getName() = "HttpOnly" and
-        a.getLValue() = pw and
-        DataFlow::localExprFlow(val, a.getRValue())
+        or
+        exists(PropertyWrite pw |
+          (
+            pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
+            pw.getProperty().getDeclaringType() instanceof
+              MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
+          ) and
+          pw.getProperty().getName() = "HttpOnly" and
+          a.getLValue() = pw and
+          DataFlow::localExprFlow(val, a.getRValue())
+        )
       )
     )
-  )
-  or
-  exists(Call c |
-    httpOnlySink = c and
-    (
-      exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
-        // default is not configured or is not set to `Always`
-        not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
-        // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
-        not OnAppendCookieHttpOnlyTracking::flowTo(_) and
-        iResponse.getAppendMethod() = mc.getTarget() and
-        isCookieWithSensitiveName(mc.getArgument(0)) and
-        (
-          // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
-          exists(ObjectCreation oc |
-            oc = c and
-            oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
-            not isPropertySet(oc, "HttpOnly") and
-            exists(DataFlow::Node creation |
-              CookieOptionsTracking::flow(creation, _) and
-              creation.asExpr() = oc
+    or
+    exists(Call c |
+      httpOnlySink = c and
+      (
+        exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
+          // default is not configured or is not set to `Always`
+          not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
+          // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
+          not OnAppendCookieHttpOnlyTracking::flowTo(_) and
+          iResponse.getAppendMethod() = mc.getTarget() and
+          isCookieWithSensitiveName(mc.getArgument(0)) and
+          (
+            // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
+            exists(ObjectCreation oc |
+              oc = c and
+              oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+              not isPropertySet(oc, "HttpOnly") and
+              exists(DataFlow::Node creation |
+                CookieOptionsTracking::flow(creation, _) and
+                creation.asExpr() = oc
+              )
             )
+            or
+            // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
+            mc = c and
+            mc.getNumberOfArguments() < 3
           )
-          or
-          // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
-          mc = c and
-          mc.getNumberOfArguments() < 3
         )
-      )
-      or
-      exists(ObjectCreation oc |
-        oc = c and
-        oc.getType() instanceof SystemWebHttpCookie and
-        isCookieWithSensitiveName(oc.getArgument(0)) and
-        // the property wasn't explicitly set, so a default value from config is used
-        not isPropertySet(oc, "HttpOnly") and
-        // the default in config is not set to `true`
-        not exists(XmlElement element |
-          element instanceof HttpCookiesElement and
-          element.(HttpCookiesElement).isHttpOnlyCookies()
+        or
+        exists(ObjectCreation oc |
+          oc = c and
+          oc.getType() instanceof SystemWebHttpCookie and
+          isCookieWithSensitiveName(oc.getArgument(0)) and
+          // the property wasn't explicitly set, so a default value from config is used
+          not isPropertySet(oc, "HttpOnly") and
+          // the default in config is not set to `true`
+          not exists(XmlElement element |
+            element instanceof HttpCookiesElement and
+            element.(HttpCookiesElement).isHttpOnlyCookies()
+          )
         )
       )
     )
-  )
-select httpOnlySink, "Cookie attribute 'HttpOnly' is not set to true."
+  ) and
+  message = "Cookie attribute 'HttpOnly' is not set to true."
+}

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -68,15 +68,14 @@ predicate isExprAnAccessToSafeClientSideEncryptionVersionValue(Expr e) {
   )
 }
 
-from Expr e, Class c, Assembly asm
-where
-  asm = c.getLocation() and
-  (
+deprecated query predicate problems(Expr e, string message) {
+  exists(Class c, Assembly asm | asm = c.getLocation() |
     exists(Expr e2 |
       isCreatingAzureClientSideEncryptionObject(e, c, e2) and
       not isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(e2, asm)
     )
     or
     isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
-  )
-select e, "Unsafe usage of v1 version of Azure Storage client-side encryption."
+  ) and
+  message = "Unsafe usage of v1 version of Azure Storage client-side encryption."
+}